Toll Group: 11 days after ransomware attack key IT systems still offline

question mark curious answers confused
Getty Images

Toll Group today said it’s still working to restore key online systems some 11 days after taking core IT systems offline to mitigate a Mailto ransomware infection.  

The Japan Post-owned Australian logistics firm however suggested it has made progress in restoring systems and as of Monday the majority of its internal networks and user access were functioning. 

The Monday update sheds some light on the extent of disruption caused by the ransomware infection. It’s the sixth update since Toll Group revealed on February 3 that it took some IT systems offline on Friday 31 January in a bid to contain a cyber attack, later revealing it was the Mailto ransomware

However, nearly two weeks after the attack was first noticed, the company is still relying on a combination of manual and automated processes for its Global Express delivery business, which includes its parcel delivery services. 

Toll’s online booking and tracking platform MyToll remains offline, however it predicts customers will be able to use MyToll for "some services towards the end of the week” as it aims to fully restore the system. In the meantime, it’s ramped up call center resources to handle services that customers normally manage online.

On Friday the company said it took “foundational IT infrastructure” offline in response to the MailTo infection and that it was testing key systems with some customers to ensure they could be brought back online. 

Toll is also currently working to restore key warehouse and transport applications from its Global Logistics business and said that some of the applications are ready for testing. Its transport services are also using manual and automated systems. 

The key for Toll Group is to reassure customers — and its owner Japan Post — that it has a handle on the restoration of online services that customers rely on for their businesses.  

Toll Group was unable to provide an estimate for the costs the incident has caused when asked by CSOonline.  

“It’s too early to know if and to what extent there might be any financial impacts,” a Toll Group spokesperson said in a statement to CSOonline. 

“For now, our focus is making sure our customers have access to the services they need with as little disruption as possible. Where customers are experiencing some disruption, we’re working through those issues with them.”

The company however is confident that its current insurance does cover losses caused by cyber incidents. 

“As a large global organisation, our risk management approach is designed to ensure we recover from such incidents in a timely manner. And, we have a comprehensive insurance program to minimise losses, including those arising from cyber incidents,” the spokesperson said. 

Toll Group last week shared a sample of the Mailto ransomware that hit its systems with the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC). 

ACSC posted the SH256 hash of the Mailto sample but didn’t attribute the source to Toll Group. 

According to Google Cloud’s VirusTotal database, 58 out of 70 popular antivirus engines currently detect the Mailto sample ACSC shared details about. 

Brett Callow, a spokesperson for the antivirus vendor Emsisoft, told CSOonline that most major vendors were detecting this sample by mid-December 2019. 

“In some cases, such as ours, it would have been blocked from the get-go because of its behavioural characteristics. Which opens the door to the possibility of the actors having been able to disable whichever product Toll were using in order to be able to deploy the ransomware,” said Callow. 

Callow reckons chances are slim that anyone will be able to deliver a decryption tool for Mailto. 

“I’d say it’s unlikely though. Early analysis suggests this ransomware wasn’t created by a clueless skid, so the encryption is likely secure,” he said. 


Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)