Pemex computers still locked out, $5 million demanded by hacker
Mexico's Pemex Oil Suffers Ransomware Attack, $4.9 Million Demanded
Hacking group suggests they are behind previous attack in U.S.
Cybersecurity firms link attack to DoppelPaymer malware
By Amy Stillman, William Turton, and Alyza Sebenius / Bloomberg
MEXICO CITY/NEW YORK/WASHINGTON
Petroleumworld 11 14 2019
The hacker behind a cyberattack that has crippled Petroleos Mexicanos 's computer systems since the weekend is hoping to squeeze almost $5 million out of the company and appears to have set a deadline of Nov. 30.
Pemex has other ideas, saying it won't pay the ransom and hopes to solve the cyberattack problem today, according to comments made by Mexico energy minister Rocio Nahle on Wednesday.
Those comments were among the latest in an unfolding drama that has pitted the Mexican oil giant against an unknown hacker who uses the name “Joseph Atkins” in an email address -- almost surely a pseudonym. Responding to an email from Bloomberg News, the person declined to comment about Pemex until Nov. 30, the end of a three-week deadline.
The person also said his group's hacks aren't limited to the oil sector and suggested they were responsible for a previous cyberattack on Roadrunner Transportation Systems Inc., which is based in Wisconsin and offers truck freight transportation services. “They did not pay and recovered themselves, and left us GB's of their data,” the person said, in broken English. The person also confirmed that the group was seeking 565 Bitcoins, which is roughly equivalent to $4.8 million.
The email address was obtained from a message to a Pemex employee requesting the ransom money, which was viewed by Bloomberg News. “The faster you get in contact, the lower price you can expect,” it said.
Pemex declined to comment on whether the hackers imposed a deadline. The company said in a statement earlier this week that operations were normal after it was subjected to cyberattacks Nov. 10 that affected less than 5% of personal computing devices.
The cyberattack highlights the growing epidemic of attacks against global companies that turn their own vulnerable IT systems against them – in this case by hijacking data they need to function. While some companies resist, others quietly pay, often on advice of security experts, fueling further attacks.
In this case, the hackers have also struck at a potent symbol of Mexican national pride that has fallen on hard times. Pemex, once a driving force of the country's economic health, faces almost 15 years of output declines and more than $100 billion of debt, the highest of any oil company. In one recent sign of the oil giant's vulnerability, Fitch Ratings Inc. in June cut Pemex's bond rating to junk.
“There has to be some changes if they want to keep the market calm after these attacks,” said Mario Ahumada, a senior analyst of energy and infrastructure for risk consultancy EMPRA in Mexico City.
On Wednesday, some Pemex employees were still locked out of their computers and told not to log on to the company's Wi-Fi network, according to two people familiar with the situation. Pemex personnel have been busy since Tuesday wiping infected computers and installing software patches, said one of the people.
Pemex is relying on manual billing that could affect payment of personnel and suppliers and hinder supply- chain operations, the people said, asking not to be identified because they aren't authorized to speak to the press. Invoices for fuel to be delivered from Pemex's storage terminals to gasoline stations are being written by hand, and Pemex employees fear that if the problem isn't resolved they won't get paid on Nov. 27, when their next paycheck is due.
Neither Pemex or Mexican authorities have identified the type of malware used in the attack. However, there are indications that it may be a strain known as DoppelPaymer, according to cybersecurity firm Crowdstrike Inc. The firm first saw DoppelPaymer deployed in June attacks, according to Adam Meyers, the company's vice president of intelligence. Crowdstrike had previously connected the Joseph Atkins email to DoppelPaymer attacks.
The cybersecurity company Coveware, Inc. also connected the attack to DoppelPaymer after reviewing the ransom note and the email associated with it, which was posted online, according to Bill Siegel, the chief executive officer and co-founder. He said that the “scope and nature” of the attack is consistent with DoppelPaymer attacks, which typically target large enterprises.
Roadrunner declined to comment. The company has previously disclosed that its systems were breached in 2018. In a letter addressed to the New Hampshire attorney general, Roadrunner's lawyer said a hacker had gained access to Workday, the company's HR management platform, by sending phishing emails to its employees. Workday contained the private information of Roadrunner employees, including their name, address, Social Security number and payroll information. Roadrunner offered free credit monitoring to its employees as a result of the hack.
In a letter to its affected employees, Roadrunner said that the hacker modified the direct deposit information of some of its employees, but detected the changes before any funds had been transferred.It wasn't clear if the 2018 breach at Roadrunner was the same one referenced by the person claiming to be involved in the Pemex hack.
— With assistance by Michael Riley, and Cyntia Aurora Barrera Diaz
Story by Amy Stillman, William Turton, and Alyza Sebenius from Bloomberg.
bloomberg.com / 11 13 2019
We invite you to join us as a sponsor.Circulated Videos, Articles, Opinions and Reports which carry your name and brand are used to target Entrepreneurs through our site, promoting your organization’s services. The opportunity is to insert in our stories pages short attention-grabbing videos, or to publish your own feature stories.________________________
Copyright© 1999-2019 Petroleumworld or respective author or news agency. All rights reserved.
We welcome the use of Petroleumworld™ (PW) stories by anyone provided it mentions Petroleumworld.com as the source.
Other stories you have to get authorization by its authors. Internet web links to http://www.petroleumworld.com are appreciated.
Petroleumworld welcomes your feedback and comments, share your thoughts on this article, your feedback is important to us!
We invite all our readers to share with us
their views and comments about this article.Write to firstname.lastname@example.org
By using this link, you agree to allow PW
to publish your comments on our letters page.
Any question or suggestions,
please write to: email@example.com
Best Viewed with IE 5.01+ Windows NT 4.0, '95,
'98,ME,XP, Vista, Windows 7,8,10 +/ 800x600 pixels