The claim made by the Mexican state-owned petroleum corporation Pemex that it had recovered from a Nov. 10 cyberattack was met with some skepticism, as published reports indicate the attack may be still affecting the company.

Pemex stated it had suffered a cyberattack that impacted about five percent of its computer equipment, but managed to contain the problem and is now operating normally. The company did not say what type of attack transpired, but emails obtained by Reuters point toward Pemex being hit with Ryuk ransomware. Cybercriminals are known to use Ryuk to target large enterprises.

“Petróleos Mexicanos operates normally. The operation of the operation and production systems of the company are not compromised,” according to a translation of a company statement.

Reuters said the attackers demanded a $4.9 million ransom and that the company had 48 hours to make a decision. The news agency also reported that Pemex employees were told to disconnect their computers from the internet and back up their data.

Attacks on oil companies are not unusual, said Peter Goldstein, CTO and co-founder of Valimail. In September 2019, Valimail observed evidence of an email-based spearphishing campaign impersonating a subset of major Middle Eastern oil producers, he told SC Media.

“Because spearphishing is the vehicle for about 90 percent of cyberattacks, and is the preferred vector used by the Ryuk ransomware that hit Pemex, this strongly suggests that oil producers worldwide are being targeted,” Goldstein said.

Thomas Hatch, CTO and co-founder of SaltStack, is not certain Pemex officials are being completely honest and may be just trying to put the best face on the situation. Additionally, without more information being made public it’s difficult to determine the level of recovery, he said.

“Typically, a small response like this is a red herring. It is a company attempting to let people know that things are ‘under control.’ The reality here is that a breach that has hit ‘five percent of systems’ of a major company means that the breach has gotten very deep into the infrastructure. This statement strongly suggests that the breach is deep,” Hatch told SC Media.

However, if Pemex has truly fought off and bounced back from the attack, then it’s an indication that the company exercises good cybersecurity practices, said Fausto Oliveira, principal security architect at Acceptto.

“Recovering five percent of their environment without incurring lateral movement of the malware is a good sign that they followed proper containment steps,” he said.

Terence Jackson, Thycotic’s CISO, postulated that the company, wisely, is using EDR (endpoint detection and response) tools and had in place a layered defense to recover.

“Endpoint Detection and Response tools have replaced traditional signature based anti-virus tools in the enterprise. These EDR tools… allow rapid detection, isolation and even sometimes remediation when ransomware is detected. It’s likely that Pemex is using EDR in its environment, which would be in alignment with a rapid detection and recovery,” he said.