Update: Toll says IT systems infected by new variant of ‘Mailto’ ransomware

Ransomware  >  A masked criminal ransoms data for payment.
Mikkel William / Getty Images

Australian logistics and delivery firm Toll has confirmed the ransomware attack that forced it to take its IT systems offline was a new variant of the Mailto ransomware.

Toll Group took some key IT systems offline last Friday after detecting the cyber attack and has gradually released more information about the attacks and their impact, on Monday confirming it was a ransomware attack. The latest update confirms its systems were infected by the Mailto ransomware. 

Toll says it has shared samples of the Mailto variant with local law enforcement and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), as well as other cyber security organisations. 

However, researchers at Malware Hunter Team suggested the new variant of Mailto could be a re-packaged version of a strain of ransomware called Netwalker. 

The impact of the attack appears to be severe, causing the company to disable its MyToll online booking system and revert to manual processes for some parts of delivery and parcel operations. 

Toll Group’s logistics network spans 1,200 locations in over 50 countries and it has annual revenues of nearly $8bn. 

The company previously said it took down IT systems across multiple sites and business units to mitigate the attack, but has now clarified its business continuity response meant that “many” of its global customers can now access its freight, parcel, warehousing and logistics, and forwarding operations services. 

According to Toll, the blend of automated and manual processes to cover for affected IT systems has helped freight levels return to “usual levels”. 

The company has also boosted staffing at contact centers to handle increased call levels from customers who rely on its call centers for affected online services.

Despite achieving “normal” service levels with extra labor, Toll admitted that some customers are still experiencing delays or disruptions.

Toll said it had still not found any evidence that personal data had been stolen due to the ransomware attack.

“We continue to monitor this as we work through a detailed investigation,” it said.

It’s too early to tell how much the ransomware attack will cost Toll Group in repairs, lost revenues and supply chain disruptions, but it comes at a bad time for the Japan Post-owned company, which reported a loss of $133.8m for the year to March 2019. Toll Group is under pressure to increase profits for Japan Post.

It also raises questions about cyber insurance. Three months after the NotPetya ransomware attack on European delivery service TNT Express, its US parent FedEx estimated it would cost the company $300 million. FedEx did not have cyber insurance at the time of the attack but said it was reconsidering cyber insurance products after it. 

But name and shame announcements by Five Eyes nations — Australia, Canada, New Zealand, the UK, and the US — which collectively blamed NotPetya on Russia complicated insurance claims by one NotPetya victim. 

Confectionary giant Mondelez International, also a victim of NotPetya, did have cyber insurance with Zurich America, however the insurer denied its NotPetya claim because the policy did not cover incidents caused by “war like action” from a government. Litigation over the claim is ongoing.   

The attack on Toll Group however looks more like the work of a cybercriminal gang than a state sponsored attacker. 

Europol’s “no more ransom” program currently has decryption tools for over 100 different strains of file-encrypting ransomware, however it does not have one for Mailto. 

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies