Australian Delivery Firm Confirms Ransomware AttackToll Group Attempts to Restore Systems; Some Deliveries Delayed
Australian transportation and logistics firm Toll Group has confirmed that it sustained a ransomware attack earlier this month that forced to company to shut down several systems and led to delays in deliveries across the country.
While Toll Group continues to recover from the ransomware attack that started Jan. 31, the firm has now deliberately shut down several systems, including customer-facing applications, as a precautionary measure to ensure that the malware does not spread, according to a statement released Tuesday. company officials say no personal data has been compromised.
Toll Group, which is owned by Japan Post, has operations in over 50 countries and about 40,000 employees worldwide. The company does not plan to pay the ransom and is not engaging with the attacks, according to the Australian Financial Review.
On Wednesday, Toll Group reported that many of its systems were returning to normal operations and freight deliveries were being made.
"Based on a combination of automated and manual processes instituted in place of the affected IT systems, freight volumes are returning to usual levels," company officials said Wednesday. "We have also increased staffing at our contact centers to assist with customer service. Notwithstanding the fact that services are being provided largely as normal, some customers are experiencing delays or disruption, and we’re working to address these issues as we focus on bringing our regular IT systems back online securely."
Toll Group identified the ransomware as a variant called Mailto, which is also called Netwalker.
"We have shared samples of the relevant variant with law enforcement, the Australian Cyber Security Center, and cybersecurity organizations to ensure the wider community is protected," the company says.
Mailto is one of several ransomware-as-a-service variants that cybercriminals have used over the last year to target large and small enterprises, with attackers sometimes demanding as little as $1,500 for a decryption tool, according to security firm Coveware (see: Ryuk and Sodinokibi Surge as Ransom Payments Double).
The ransomware, which was first spotted in August 2019, has proven effective against some large-scale targets, says Brett Callow, threat analyst at the security firm Emsisoft.
"At this point in time, we've seen no evidence of there being a new variant, which is something we typically discover very quickly," Callow tells Information Security Media Group.
Since the ransomware attack against Toll Group first surfaced on Feb. 1, over 1,000 of the company’s servers have been infected, and staff worldwide had been told to leave desktops and laptops switched off and disconnected from the corporate network, according to ITNews, which cited company sources.
In addition, ITNews reported that the company's Active Directory, productivity and corporate VPN applications were also affected and had been taken offline during the recovery period.
Customers Take to Twitter
Over the weekend and through the first part of this week, customers began taking to Twitter and other social media platforms to raise concerns about deliveries being delayed. Some criticized the company for not informing them about the attack as soon as it was discovered and for not providing regular updates.
Hi @Toll_Group, i appreciate this is a tricky time- we've been in the dark for 3 days and i have some time critical shipments needing Customs clearance. Any status update?— joyya (@joyyaworld) February 4, 2020
In its statements, Toll Group explained that several customer-facing applications had been impacted as a result of the attack and that it was using a combination of manual and automated processes to meet customer needs.
Since the start of this year, ransomware has hit several targets across the globe.
For example, London-based currency exchange firm Travelex sustained a two-week shutdown after its systems were hit by the Sodinokibi ransomware gang. The hackers downloaded and encrypted sensitive customer data and asked Travelex for approximately $6 million in ransom (see: Currency Exchange Travelex Held Hostage by Ransomware Attack)
While that ransomware attack has been contained, the BBC reported Monday that Travelex is still struggling to restore customer services.
In its analysis published in December, Coveware researchers found that the average payouts for ransomware attacks are increasing, despite warnings from the FBI and other law enforcement agencies not to pay the attackers.
In the last quarter of 2019, the average ransom payment increased by 104 percent to $84,116, compared to the third quarter, according to Coveware. The researchers say in Q4, they saw a trend of hackers exfiltrating data from victims and threatening to release this data if the ransom was not paid.