Oil giant Pemex falls victim to $5m ransomware in attack linked to gang behind Dridex

Pemex falls victim to DoppelPaymer ransomware linked with same group that was behind Dridex and BitPaymer

Pemex, one of the world's biggest oil companies, has fallen victim to a ransomware attack.

The $120 billion revenue Mexican oil major claims that the attackers demanded 565 bitcoin in payment, equating to around $5 million. It was forced to shut down a number of IT systems across the board over the weekend in response, but refused to pay up within the 48 hours demanded by the attackers.

Pemex has so far refused to confirm or deny the reports.

According to Reuters, which claims to have seen evidence from inside the company, Pemex has been hit with the DoppelPaymer ransomware, a fork of the BitPaymer ransomware picked-up by security firm CrowdStrike in July this year. Previous victims include the Chilean Ministry of Agriculture.

Reuters also claims to have had contact with the gang behind the malware. They claimed that Pemex missed the deadline for the "special price" for prompt payment, but added that a new deadline had been set.

Both BitPaymer and DoppelPaymer are linked to the same gang that was behind the GameOver Zeus criminal network, who are responsible for the notorious Dridex ransomware.

According to CrowdStrike, DoppelPaymer shares most of its code with BitPaymer and is the work of a group called Indrik Spider. This group was formed in 2014 by former affiliates of the GameOver Zeus criminal network, who preferred to refer to themselves as ‘The Business Club'.

"Early versions of Dridex were primitive, but over the years the malware became increasingly professional and sophisticated. In fact, Dridex operations were significant throughout 2015 and 2016, making it one of the most prevalent eCrime malware families," notes CrowdStrike.

Indrik Spider, adds CrowdStrike, had been affected by a UK law enforcement operation in 2015 and 2016 that led to the arrest and conviction of a Barclays bank employee who had been assisting the group with money laundering.

That followed a campaign by the group, believed to be based in Russia, that had targeted British banks and financial institutions.

BitPaymer was first identified in August 2017, but from July 2018, the group has shifted its tactics from demanding a Bitcoin payment upfront to simply providing two email addresses through which it negotiates with victims.

The gang behind DoppelPaymer, meanwhile, have adopted a similar strategy, except using a URL to a Tor-based payment portal, according to CrowdStrike.

There have also been reported links between the gang behind Dridex and Magecart group five, which has been behind several attacks on ecommerce websites payment pages.