Through a press release, Pemex reported that at least five percent of computer equipment was damaged because of hacking.
The group of analysts MalwareHunter Team announced the amount that cyber attackers requested from Pemex to free them from the ransomware that suffers since November 10.
The computer forensic team MalwareHunter Team tracked the screenshots shared by the firm's employees on social networks, and revealed that they managed to open a negotiation and payment window, where cyber attackers requested 565 bitcoins, or 4.9 million dollars, to release the affected computers from the oil company.
The negotiation window is part of the instructions sent by hackers to a company attacked with 'Doppel Paymer' ransomware so that it can pay its ransom, such as a deposit or transfer line. Ransomware consists of a group of cyberattackers entering the network of a company or person and taking control of their computer equipment. Afterwards, it does not let them in unless they pay a ransom, as in a kidnapping.
The hackers gave Pemex 48 hours to make the payment. However, MalwareHunter Team warns that this negotiation window is empty, indicating that payment was not made. Several analysts consulted by Expansión state that, if this was not negotiated, the only thing the company could have done to reactivate the computers would be to disconnect and reinstall from scratch, although this does not guarantee that another attack will not occur later.
Pemex declined to comment.
"We know that even if we pay the ransom, there is a chance that the malware will not be removed and that weeks later an attack may occur again. The system is already open and there are risks even at restoration points," said Andrés Velázquez, a computer forensic expert and general manager of Mattica. "Once a system is infected, there's not much else that can be done, but there's a lot of work to be done on prevention. Unfortunately, what we have seen from this government is that the issues of cybersecurity strategies are not a priority," he says.
Pemex employees denounce "computer kidnapping".
Several Pemex workers reveal, under the condition of anonymity, that the cyber attack is larger than the company has reported.
According to these corporate employees, most of the company's computers are affected, not just 5%, as detailed by the oil company. For example -always according to these employees-, there are areas where five out of seven computers are affected, and the situation is replicated nationwide, including the computers of the Pemex Tower, in addition to the equipment installed in remote offices of oil zones such as Poza Rica and Villahermosa.
"On Sunday, whats of the workgroups began to arrive, that the equipment was disconnected because there was a virus that was entering the machines that were on and connected to the network," said one of the workers. The IT managers, he adds, reported that this is malware that gets into the machines and encrypts the data, preventing access to them.
At the Antonio M. Amor refinery in Salamanca, since Sunday the administrative operation has been stopped due to the lack of a computer system, say several employees. The workers point out that the cyber technicians talk about an attack on the entire Pemex system, and that many important files are compromised. In addition, there are compromised issues of payroll and marketing both national and international, plus databases of suppliers, staff or debts, etc etc. etc.. The oil company has carried out a census of which machines were infected. "Here in Salamanca, they are not even using the telephones, because they were also on the network. They are transmitting data by radio and working with paper backups," says one employee.
"It seems that it was malware that arrived because someone did not take the necessary care and executed it, but this is undoubtedly a wake-up call to review the investment in cybersecurity and training and to form a robust response team," says Rodrigo Orenday, a lawyer and security specialist at Santamarina y Steta.
Other red spots
Since 2017, cybersecurity reports from the Organization of American States (OAS) put Mexico in the top 5 countries within the organization with the least preparation to face a cyberattack on its critical infrastructure.
"Without a doubt, this is a wake-up call, and not only for Pemex, but for other public and private companies and those who manage critical infrastructure. We have information that other sectors have been affected, especially private sectors," says Mattica's Andrés Velázquez.