Early Monday morning, Pemex, Mexico’s state petroleum company was hit with ransomware, bringing several critical systems to a halt. While early news agencies were reporting on Ryuk, upon an investigation of the binaries by several researchers including Vitali Kremez, it was discovered that this attack was carried out using the BitPaymer lookalike, DoppelPaymer. The actors behind this attack are demanding a ransom of $5 million at the end of November.
Analyst Notes
As DoppelPaymer is typically distributed through email malware, like Dridex, practicing safe internet habits, such as not running macros from untrusted sources are a good way to stay safe from this ransomware. Additionally, performing frequent backups that are stored in a location isolated from the rest of the network (such as physical backups), will allow recovery of files without paying a ransom.
Sources: https://www.virustotal.com/gui/file/f77b3069cc28b8c4edbfff935dc83ee701821e529a509da7f157b5de52b39863/details
2019-11-11:🌀#DoppelPaymeer #Ransomware🔒| #Signed
Digital Cert ->🇬🇧☁️[OFFERS CLOUD LTD] #Thawte
RtlComputeCrc32 | List of Processes | arp + net view | "DATA" victim key
🤔Crimeware Model: Separate BitPaymer Fork -> Diversification of Payload/Partner Model
h/t @malwrhunterteam pic.twitter.com/6nneRv3Jrr— Vitali Kremez (@VK_Intel) November 11, 2019
✅Pushed a #Yara hunting🏹rule for #DoppelPaymer payload ->https://t.co/yQW4VWHMCT pic.twitter.com/oF16XQZ3cz
— Vitali Kremez (@VK_Intel) November 11, 2019
When reversed, this #DoppelPaymer contains a victim note which matches the exact note spotted by @pollo290987 for PEMEX intrusion & the uploader from Mexico possibly indicating the culprit behind.
.readme2unlock.txt
cc/ @malwrhunterteam, @BleepinComputer https://t.co/WKACqeqPcT pic.twitter.com/v5PQxBZUNl— Vitali Kremez (@VK_Intel) November 12, 2019
💡#DoppelPaymer Ransomware 'PEMEX' Variant | Extension |
⤵️Peculiar File Blacklist Crc32 Checksum
Example ->
V01.chk (Checkpoint file), V01.log (Transaction log),
V01res*.jrs/V01*.log (Reserved transaction logs; for clean
shutdown in emergency cases, e.g. disk full) pic.twitter.com/JjVKAJrM9V— Vitali Kremez (@VK_Intel) November 12, 2019
So, looks like the DoppelPaymer sample we found yesterday (https://t.co/BEPQLTv7v1), that was seen from Mexico on the weekend, maybe related to this attack: https://t.co/mII3ND3bl0
— MalwareHunterTeam (@malwrhunterteam) November 12, 2019
Anyone from MX, could confirm if the rumor about PEMEX, that has been infected with ransomware is true?, I saw some screenshots but nothing confirmed… pic.twitter.com/K1RidJFY9z
— _(ʘ_ʘ)_/ (@pollo290987) November 11, 2019
Thnks !!!!
Now i can say:
Ransomware attack confirmed.
Possible BitPaymer/IEncrypt ransomware involve. [Based on the portal for payments]Extension: .locked
Ransome note: .readme2unlock pic.twitter.com/ZaAW15GYj6— _(ʘ_ʘ)_/ (@pollo290987) November 11, 2019
