Hacker Seeks About $5 Million Ransom From Pemex by Nov. 30

Tanker trucks at storage and dispatch terminal of Petroleos Mexicanos
Tanker trucks wait at the storage and dispatch terminal of Petroleos Mexicanos. (Felix Marquez/Associated Press)

[Stay on top of transportation news: Get TTNews in your inbox.]

The hacker behind a cyberattack that has crippled Petroleos Mexicanos’ computer systems since the weekend is hoping to squeeze about $5 million out of the company and appears to have set a deadline of Nov. 30.

Pemex had other ideas, saying it won’t pay the ransom and hoped to solve the cyberattack problem Nov. 13, according to comments made by Mexico energy minister Rocio Nahle.

Those comments were the latest in an unfolding drama that has pitted the Mexican oil giant against an unknown hacker who uses the name “Joseph Atkins” in an email address — almost surely a pseudonym. Responding to an email from Bloomberg News, the person declined to comment about Pemex until Nov. 30, the end of a three-week deadline.

The person also said his group’s hacks aren’t limited to the oil sector and suggested they were responsible for a previous cyberattack on Roadrunner Transportation Systems Inc., a truck freight transportation services company based in Wisconsin. “They did not pay and recovered themselves, and left us GBs of their data,” the person said, in broken English.

The email address was obtained from a message to a Pemex employee requesting the ransom money, which was viewed by Bloomberg News. “The faster you get in contact, the lower price you can expect,” it said.

Potent Symbol

Pemex declined to comment on whether the hackers imposed a deadline. The company said in a statement earlier this week that operations were normal after it was subjected to cyberattacks Nov. 10 that affected less than 5% of personal computing devices.

The cyberattack highlights the growing epidemic of attacks against global companies that turn their own vulnerable IT systems against them — in this case by hijacking data they need to function. While some companies resist, others quietly pay, often on advice of security experts, fueling further attacks.

In this case, the hackers also have struck at a potent symbol of Mexican national pride that has fallen on hard times. Pemex, once a driving force of the country’s economic health, faces almost 15 years of output declines. In one recent sign of the oil giant’s vulnerability, Fitch Ratings Inc. in June cut Pemex’s bond rating to junk.

“There has to be some changes if they want to keep the market calm after these attacks,” said Mario Ahumada, a senior analyst of energy and infrastructure for risk consultancy EMPRA in Mexico City.

Roadrunner Breach

Roadrunner didn’t immediately respond to a request for comment.

The company has previously disclosed that its systems were breached in 2018. In a letter addressed to the New Hampshire attorney general, Roadrunner’s lawyer said a hacker had gained access to Workday, the company’s HR management platform, by sending phishing emails to its employees. Workday contained the private information of Roadrunner employees, including their name, address, Social Security number and payroll information. Roadrunner offered free credit monitoring to its employees as a result of the hack.


In a letter to its affected employees, Roadrunner said that the hacker modified the direct deposit information of some of its employees, but detected the changes before any funds had been transferred.

It wasn’t clear if the 2018 breach at Roadrunner was the same one referenced by the person claiming to be involved in the Pemex hack.

Roadrunner ranks No. 17 on the Transport Topics Top 100 list of the largest for-hire carriers in North America.

Locked Out

On Nov. 13, some Pemex employees were still locked out of their computers and told not to log on to the company’s Wi-Fi network, according to two people familiar with the situation. Pemex personnel have been busy since Nov. 12 wiping infected computers and installing software patches, said one of the people.

Pemex is relying on manual billing that could affect payment of personnel and suppliers and hinder supply-chain operations, the people said, asking not to be identified because they aren’t authorized to speak to the press. Invoices for fuel to be delivered from Pemex’s storage terminals to gasoline stations are being written by hand, and Pemex employees fear that if the problem isn’t resolved they won’t get paid Nov. 27, when their next paycheck is due.

Neither Pemex nor Mexican authorities have identified the type of malware used in the attack. However, there are indications that it may be a strain known as DoppelPaymer, according to cybersecurity firm Crowdstrike Inc. The firm first saw DoppelPaymer deployed in June attacks, according to Adam Meyers, the company’s vice president of intelligence. Crowdstrike had previously connected the Joseph Atkins email to DoppelPaymer attacks.

The cybersecurity company Coveware Inc. also connected the attack to DoppelPaymer after reviewing the ransom note and the email associated with it, which was posted online, according to Bill Siegel, the chief executive officer and co-founder. He said that the “scope and nature” of the attack is consistent with DoppelPaymer attacks, which typically target large enterprises.

Pemex’s ransomware attack — in which systems are frozen by hackers until a ransom is paid — is the latest cybersecurity incursion to hit the commodities industry. Payment problems could disrupt a supply chain that stretches across fuel retailers, global trading companies, oil industry servicers and trucking firms.

Want more news? Listen to today's daily briefing: