Mexico’s state-owned oil company Pemex has been hit by a ransomware attack that’s seen extortionists demand 565 BTC (around $4.9 million) to decrypt its files.
The attack has reportedly forced Pemex (Petróleos Mexicanos) to halt critical operations and to disconnect 5% of its network from the internet. Workers, according to Bloomberg, reported internal memos initially told them not to turn on their computers, although they were turned on later on.
On Twitter, Pemex posted a statement claiming its operations aren’t being disrupted, although some replied claiming systems are down and causing disruptions:
📌Pemex opera con normalidad. pic.twitter.com/IF7kf6VIEk— Petróleos Mexicanos (@Pemex) November 12, 2019
According to Bleeping Computer Pemex wasn’t affected, as initially thought, by the Ryuk ransomware, but by a DoppelPaymer infection, which is a fork of the BitPaymer infected that earlier this month infected Spain’s largest radio network.
In leaked ransom notes and on the Tor payment site, the ransomware extortionists reportedly ask Pemex for a total of 565 bitcoin (around $4.94 million) to give them a way to decrypt its files and stop the attack. The payment site explains the price is set according to “network size, number of employees, annual revenue.”
The attackers also give the victim a chance to negotiate with them a different amount, either via email or via an online chat function available on the website. Bleeping Computer reports the online chat on the payment site is empty, which means Pemex didn’t attempt to negotiate the ransom.