Cyber Incident Victim: Petróleos Mexicanos
Date:
Nov 2019
Location:
Mexico
Summary
A ransomware attack targeted the Mexican state oil firm Pemex, disrupting administrative operations and causing server crashes that halted critical functions like payment processing. The Ryuk strain encrypted files and locked systems, prompting the company to instruct employees nationwide to disconnect from its network and back up data from hard drives. While Pemex asserted the attack was neutralized promptly, affecting fewer than 5% of its computers, employees reported significant workflow interruptions. The company confirmed oil production, storage, and broader operations remained unaffected, characterizing the incident as part of routine cyber threats it routinely mitigates. Internal communications indicated efforts to resolve the issue within 48 hours, though staff faced prolonged system inaccessibility during the disruption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 11, 2019, Mexican state oil company Pemex experienced a ransomware attack that disrupted administrative operations across its national infrastructure. Internal emails and employee accounts confirmed the incident began on Sunday, November 10, when Pemex’s computer center in the State of Mexico detected ransomware attempting to block computer screens or encrypt predetermined files. The company identified the malware as Ryuk, a strain known to target organizations with annual revenues between $500 million and $1 billion. Pemex issued urgent warnings to employees nationwide via email, instructing them not to turn on computers and to disconnect from the corporate network immediately. Critical systems for payments and administrative workflows became inaccessible by Monday, forcing staff to halt operations in affected departments. Three employees reported that work "ground to a halt" due to the server crashes, preventing access to essential functions like processing payments. Pemex’s IT teams worked to contain the incident, advising employees to back up critical information from hard drives while attempting to restore systems within a 48-hour window.
Pemex publicly stated late on Monday that cyber attacks from the previous day had been "neutralized in a timely manner," affecting fewer than 5% of its computers. The company emphasized that oil production, storage, and field operations remained unaffected, characterizing the incident as one of many routine cyber threats it deflects. However, internal communications and employee testimonies contradicted this assessment, revealing significant disruptions to administrative functions. The attack compounded existing challenges for Pemex, which was concurrently managing heavy debt burdens, declining oil output, and credit rating pressures. No ransom demand or payment was disclosed in available reports. Recovery efforts focused on isolating compromised servers and restoring backups, though the full timeline for resolution remained unclear at the time of reporting.