Pemex DoppelPaymer ransomware (Mexico, 2019)

In November 2019, the Mexican state oil company Petróleos Mexicanos (Pemex) was hit by DoppelPaymer ransomware, which paralysed corporate IT systems for weeks. The attackers demanded 565 BTC (~$5 million). Pemex refused to pay; total recovery costs reached approximately $71 million.

What happened

The attack was detected on 10 November 2019. Pemex took computers offline across Mexico, halting payment processing and freezing key administrative communications. Internal emails initially mislabelled the malware as Ryuk; a public ransom note pointing to a darknet site clarified the family as DoppelPaymer, which was at the time a relatively new but already prolific ransomware operation.

DoppelPaymer's demand was 565 BTC (about $4.9 million at then-current prices), with a 48-hour deadline. On 13 November Pemex publicly stated it would not pay.

Oil production itself continued during the incident — Pemex's industrial operational-technology (OT) systems were architecturally separate and were not implicated. The blast radius was confined to corporate IT: email, payment processing, document management. Even so, the company reported cleanup costs of approximately $71 million, with only a small fraction covered by insurance.

Impact

Corporate IT paralysed for weeks; payment processing froze.
Operational-technology systems unaffected — oil production continued.
No ransom paid (~$5M demand declined).
Approximately $71 million in cleanup costs.
Among the highest-profile no-pay decisions in critical-infrastructure ransomware history at the time.

Why it matters

Pemex is a foundational reference case for DoppelPaymer's shift from criminal-only operations toward high-value state-owned targets. It is also a strong early example of how IT/OT segmentation can keep ransomware out of safety-critical industrial control while still doing tens of millions of dollars of corporate damage.

Timeline

November 10, 2019

Pemex detects ransomware activity across corporate systems. Computers are taken offline nationwide; payment processing freezes.

November 12, 2019

A ransom note pointing to a darknet site demands 565 BTC (~$4.9M); 48-hour deadline. The note is consistent with the DoppelPaymer ransomware family (initially mislabelled internally as Ryuk).

November 13, 2019

Pemex publicly states it will not pay the ransom.

2019-11 — 2019-12

Communications and administrative systems remain degraded for weeks; oil production continues — operational-technology systems are not implicated. Cleanup costs reach approximately $71 million.

Sources

industryweek.comhttps://www.industryweek.com/technology-and-iiot/article/22028585/a-hacker-wants-about-5-million-in-ransom-from-pemex-by-end-of-november

insurancejournal.comhttps://www.insurancejournal.com/news/international/2019/11/13/548252.htm

bankinfosecurity.comhttps://www.bankinfosecurity.com/ransomware-mexican-oil-firm-reportedly-refuses-to-pay-up-a-13404

controleng.comhttps://www.controleng.com/throwback-attack-hackers-demand-5-million-from-mexican-oil-and-gas-giant-in-pemex-cyberattack/

Related incidents

RansomwareContainedMarch 19, 2019

Norsk Hydro LockerGoga ransomware

Aluminium producer Norsk Hydro lost most of its global IT estate to the LockerGoga ransomware. Hydro publicly refused to pay, ran operations on paper for weeks, and set the editorial standard for transparent incident communication.

Victim: Norsk Hydro
Loss: $75.0M

RansomwareUnknownMay 24, 2026

Eyguières town hall paralyzed by ransomware

Eyguières town hall, a commune of about 7,000 inhabitants located in the Alpilles, was the victim of a ransomware cyberattack on Friday, May 22, 2026.

Victim: Eyguières town hall

RansomwareUnknownApril 21, 2026

Engie: a cyberattack claimed by a ransomware group

The hacker group Coinbasecartel claims to have carried out a cyberattack against Engie, the French energy giant active in electricity, gas and

Victim: Engie

RansomwareUnknownDecember 26, 2025

Leak at Commune de Lens

probable ransomware

Victim: Commune de Lens