The hacker behind a cyberattack that has crippled Petroleos Mexicanos’s computer systems since the weekend is hoping to squeeze almost $5 million out of the company and appears to have set a deadline of Nov. 30.
Pemex has other ideas, saying it won’t pay the ransom and hopes to solve the cyberattack problem today, according to comments made by Mexico energy minister Rocio Nahle on Wednesday.
Those comments were among the latest in an unfolding drama that has pitted the Mexican oil giant against an unknown hacker who uses the name “Joseph Atkins” in an email address — almost surely a pseudonym. Responding to an email from Bloomberg News, the person declined to comment about Pemex until Nov. 30, the end of a three-week deadline.
The person also said his group’s hacks aren’t limited to the oil sector and suggested they were responsible for a previous cyberattack on Roadrunner Transportation Systems Inc., which is based in Wisconsin and offers truck freight transportation services. “They did not pay and recovered themselves, and left us GB’s of their data,” the person said, in broken English. The person also confirmed that the group was seeking 565 Bitcoins, which is roughly equivalent to $4.8 million.
The email address was obtained from a message to a Pemex employee requesting the ransom money, which was viewed by Bloomberg News. “The faster you get in contact, the lower price you can expect,” it said.
Growing Epidemic
Pemex declined to comment on whether the hackers imposed a deadline. The company said in a statement earlier this week that operations were normal after it was subjected to cyberattacks Nov. 10 that affected less than 5% of personal computing devices.
The cyberattack highlights the growing epidemic of attacks against global companies that turn their own vulnerable IT systems against them – in this case by hijacking data they need to function. While some companies resist, others quietly pay, often on advice of security experts, fueling further attacks.
In this case, the hackers have also struck at a potent symbol of Mexican national pride that has fallen on hard times. Pemex, once a driving force of the country’s economic health, faces almost 15 years of output declines and more than $100 billion of debt, the highest of any oil company. In one recent sign of the oil giant’s vulnerability, Fitch Ratings Inc. in June cut Pemex’s bond rating to junk.
“There has to be some changes if they want to keep the market calm after these attacks,” said Mario Ahumada, a senior analyst of energy and infrastructure for risk consultancy EMPRA in Mexico City.
Locked Out
On Wednesday, some Pemex employees were still locked out of their computers and told not to log on to the company’s Wi-Fi network, according to two people familiar with the situation. Pemex personnel have been busy since Tuesday wiping infected computers and installing software patches, said one of the people.
Pemex is relying on manual billing that could affect payment of personnel and suppliers and hinder supply- chain operations, the people said, asking not to be identified because they aren’t authorized to speak to the press. Invoices for fuel to be delivered from Pemex’s storage terminals to gasoline stations are being written by hand, and Pemex employees fear that if the problem isn’t resolved they won’t get paid on Nov. 27, when their next paycheck is due.
Neither Pemex or Mexican authorities have identified the type of malware used in the attack. However, there are indications that it may be a strain known as DoppelPaymer, according to cybersecurity firm Crowdstrike Inc. The firm first saw DoppelPaymer deployed in June attacks, according to Adam Meyers, the company’s vice president of intelligence. Crowdstrike had previously connected the Joseph Atkins email to DoppelPaymer attacks.
The cybersecurity company Coveware, Inc. also connected the attack to DoppelPaymer after reviewing the ransom note and the email associated with it, which was posted online, according to Bill Siegel, the chief executive officer and co-founder. He said that the “scope and nature” of the attack is consistent with DoppelPaymer attacks, which typically target large enterprises.
Roadrunner Breach
Roadrunner declined to comment. The company has previously disclosed that its systems were breached in 2018. In a letter addressed to the New Hampshire attorney general, Roadrunner’s lawyer said a hacker had gained access to Workday, the company’s HR management platform, by sending phishing emails to its employees. Workday contained the private information of Roadrunner employees, including their name, address, Social Security number and payroll information. Roadrunner offered free credit monitoring to its employees as a result of the hack.
In a letter to its affected employees, Roadrunner said that the hacker modified the direct deposit information of some of its employees, but detected the changes before any funds had been transferred.It wasn’t clear if the 2018 breach at Roadrunner was the same one referenced by the person claiming to be involved in the Pemex hack.