Logistics giant Toll Group hit by ransomware for the second time in three months

Toll says that it has no intention of bowing to blackmail.

Ransomware: New variant is after more than just your cash
1:09

For the second time in three months, Toll Group has become the victim of a ransomware attack that has led to the suspension of IT systems. 

Security 101

How to protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read More

Melbourne, Australia-based Toll Group is a global logistics company that offers freight, warehouse, and distribution services. Toll has roughly 40,000 employees and operates a distribution network across over 50 countries.  

On February 3, Toll said that IT systems had been disabled due to a malware infection, which later emerged to be the MailTo ransomware. 

See also: Ransomware is now the biggest online menace you need to worry about - here's why

MailTo, also known as Netwalker, is typical ransomware and does not even attempt to be stealthy, encrypting files at the moment of infection, according to Carbon Black researchers.  

Ransomware remains a thorn in the side of businesses worldwide. Over the past 12 months in the United States, over 1000 companies have mentioned ransomware as a forward-looking risk factor in their SEC filings.

After resolving the first ransomware infection and returning to normal operations, now, in May, the Australian logistics firm has been struck again -- this time with a Nefilim variant. 

Discovered in March by Vitali Kremez, Nefilim is a new form of ransomware that has evolved from Nemty and is likely distributed through exposed Remote Desktop Protocol (RDP) setups. 

Trend Micro says that the malware uses AES-128 encryption to lock files and blackmail payments are made via email rather than the Tor network, a firm favorite among cybercriminals. 

On May 5, Toll posted an advisory that said certain IT systems had been shut down after "unusual activity" was spotted on the company's servers. 

CNET: Facebook says fake accounts used coronavirus content to attract followers

While believed to be unrelated to the previous MailTo security incident, the latest ransomware infection has resulted in a rebuild of core systems, the need to scrub infected servers clean, and the use of backups to restore files -- rather than give in to demands for payment. 

"Toll has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network," Toll says. 

A day later, Toll said in an update that some customers have been impacted, and as the MyToll portal is still offline, it is not possible to track or trace parcels. However, freight and deliveries are "largely unaffected."

The company has been forced to fall back to contingency plans and manual processes, a disruption expected to last for at least the remainder of this week. 

TechRepublic: Cybercriminals timed attacks to spike during peak uncertainty about the coronavirus

Toll is working with the Australian Cyber Security Centre (ACSC) to investigate the incident. 

In other security news this week, Wordfence warned of a hacking group that has attempted to hijack close to one million WordPress websites over the past week. The threat actors have been harnessing cross-site scripting (XSS) vulnerabilities in a bid to deploy JavaScript on compromised websites to redirect visitors to malicious domains. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0