Toll confirms ransomware behind IT shutdown

Ransomware  >  An encrypted system, held ransom with lock + chain, displays a dollar sign.
Tomas Knopp / Getty Images

Australian logistics and delivery firm Toll on Tuesday confirmed it took core IT systems offline in to mitigate a “targeted ransomware” attack. 

Toll on Monday revealed it took IT systems offline to contain an cyberattack but on Tuesday released another statement confirming it was hit by ransomware. 

Toll Group’s logistics networks spans 1,200 locations in over 50 countries. The company has taken down systems across multiple sites and business units. 

In Tuesday’s update it said it was still servicing customers through a combination of manual and automated processes across its global operations. It also admitted that some customers were experiencing a delay or disruption. 

Toll’s processing centers continue to operate pick up, processing and dispatch services however at reduced speeds. 

The company’s online booking system MyToll has also been temporarily disabled but customers can still communicate with staff through its call centers. 

“We can confirm the cyber security incident is due to a targeted ransomware attack which led to our decision to immediately isolate and disable some systems in order to limit the spread of the attack,” Toll said in Tuesday’s statement

Toll says it hasn’t found evidence to suggest that personal data has been “lost” in the attack. 

Several ransomware gangs, including Maze and Zeppelin, have started to steal a target’s data before encrypting files, sometimes threatening to leak sensitive data if the ransom is not paid.    

Toll says it discovered the attack on Friday 31 January after which it disabled affected systems and initiated an investigation.

“We’re working with relevant authorities and have referred the matter to the appropriate bodies for criminal investigation. In the meantime, we’ll continue to work to our current processes in order to meet the needs of our customers,” Toll said. 

The ransomware attack on Toll came as UK currency exchange Travelex finally restored its online book system after taking the site offline on New Year’s Eve to contain a REvil ransomware infection.  

French industrial giant Bouyges on Friday reported Boygues Construction’s computers were infected with ransomware. 

The FBI last week sent an advisory to US businesses warning them about Maze ransomware and the threat of data theft combined with file encryption.

“From its initial observation, Maze used multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors,” says the FBI in an advisory obtained by CyberScoop.

“In a late November 2019 attack, Maze actors threatened to publicly release confidential and sensitive files from a US-based victim in an effort to ensure ransom payment.”

Related:

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies