For the second time in three months, Toll Group has become the victim of a ransomware attack that has led to the suspension of IT systems.
Melbourne, Australia-based Toll Group is a global logistics company that offers freight, warehouse, and distribution services. Toll has roughly 40,000 employees and operates a distribution network across over 50 countries.
On February 3, Toll said that IT systems had been disabled due to a malware infection, which later emerged to be the MailTo ransomware.
MailTo, also known as Netwalker, is typical ransomware and does not even attempt to be stealthy, encrypting files at the moment of infection, according to Carbon Black researchers.
Ransomware remains a thorn in the side of businesses worldwide. Over the past 12 months in the United States, over 1000 companies have mentioned ransomware as a forward-looking risk factor in their SEC filings.
After resolving the first ransomware infection and returning to normal operations, now, in May, the Australian logistics firm has been struck again -- this time with a Nefilim variant.
Discovered in March by Vitali Kremez, Nefilim is a new form of ransomware that has evolved from Nemty and is likely distributed through exposed Remote Desktop Protocol (RDP) setups.
Trend Micro says that the malware uses AES-128 encryption to lock files and blackmail payments are made via email rather than the Tor network, a firm favorite among cybercriminals.
On May 5, Toll posted an advisory that said certain IT systems had been shut down after "unusual activity" was spotted on the company's servers.
While believed to be unrelated to the previous MailTo security incident, the latest ransomware infection has resulted in a rebuild of core systems, the need to scrub infected servers clean, and the use of backups to restore files -- rather than give in to demands for payment.
"Toll has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network," Toll says.
A day later, Toll said in an update that some customers have been impacted, and as the MyToll portal is still offline, it is not possible to track or trace parcels. However, freight and deliveries are "largely unaffected."
The company has been forced to fall back to contingency plans and manual processes, a disruption expected to last for at least the remainder of this week.
Toll is working with the Australian Cyber Security Centre (ACSC) to investigate the incident.
Previous and related coverage
- Ransomware mentioned in 1,000+ SEC filings over the past year
- Ransomware victims are paying out millions a month. One particular version has cost them the most
- What is ransomware? Everything you need to know about one of the biggest menaces on the web
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0