For the second time in three months, the Toll Group has been the target of a ransomware attack that resulted in the suspension of IT systems.
The Toll Group, based in Melbourne, Australia, is a global logistics company offering freight, warehouse and distribution services. Toll has nearly 40,000 workers and operates a distribution network spanning more than 50 countries.
On February 3, Toll said that IT systems had been disabled due to a malware infection that later became MailTo ransomware.
MailTo, also known as Netwalker, is a typical ransomware and does not even pretend to be stealthy, encrypting files at the time of infection, according to Carbon Black researchers.
Ransomware remains a thorn on the corporate side of the planet. Over the past 12 months in the United States, over 1000 companies have identified ransomware as a forward-looking risk factor in their SEC filings.
After overcoming the first ransomware attack and returning to regular service, the Australian logistics company was hit again in May — this time with the Nefilim version.
Discovered in March by Vitali Kremez, Nefilim is a new type of ransomware that has developed from Nemty and is likely to be spread via exposed Remote Desktop Protocol (RDP) setups.
2020-03-14:🆕🔥#NEFILIM #Ransomware | #Signed
🇦🇺 [Inter Med Pty. Ltd.] #Signed
Nemty Fork Project | Slightly Altered Crypto | “rsa public” Crypto Part
🤔Pursues Project Revenue Stream Outside of Nemty RaaS
Reference (ht/ @malwrhunterteam) ->https://t.co/b6OVW56Y0l pic.twitter.com/jM3mILvWBx
— Vitali Kremez (@VK_Intel) March 14, 2020
Trend Micro says that the malware uses AES-128 encryption to lock files, and that extortion payments are made via email rather than the Tor network, a firm favorite among cyber criminals.
On May 5, Toll released an advisory claiming that some IT systems had been shut down after “unusual behavior” had been found on the company’s servers.
Although assumed to be unrelated to the previous MailTo security incident, the current ransomware attack resulted in the restoration of core systems, the need to clean up compromised servers, and the use of backups to recover files — rather than giving in to payment demands.
“Toll has no intention of dealing with any ransom requests, and at this point there is no evidence to indicate that any data has been extracted from our network,” Toll says.
A day later, Toll said in an update that some customers have been affected, and because the MyToll portal is still down, it is not possible to track or track parcels. However, freight and deliveries are “largely unchanged.” The company has been forced to resort to contingency plans and manual procedures, which are expected to continue for at least the remainder of this week.
Toll is collaborating with the Australian Cyber Security Center (ACSC) to investigate the incident.