Transport company Toll Group are continuing to try to get back to normal operations after a massive cyber-attack on the company’s IT systems.
Toll became aware of an issue on the 31st of January and moved to disable the impacted systems to stop the spread of the cyber attack.
The incident has been identified as a new variant of a current ransomware attack called ‘mailto’ and is believed to infected as many as 1000 servers, including the company’s Active Directory.
“The ransomware that has affected Toll is a new variant of the Mailto ransomware,” the company said in an update Wednesday.
“We have shared samples of the relevant variant with law enforcement, the Australian Cyber Security Centre, and cyber security organisations to ensure the wider community is protected.”
Toll are still recovering from this incident with the company reporting yesterday “We are progressing with thorough testing and validation of our IT systems, in collaboration with key customers, with a view to restoring our systems as soon as it is deemed safe and secure for anyone who engages with Toll’s IT network including customers, employees, suppliers and vendors.”
At this stage the company does not believe that any customer data has been compromised but has begun a detailed investigation into the incident.
"We have shared samples of the relevant variant with law enforcement, the Australian Cyber Security Centre (ACSC), and cyber security organisations to ensure the wider community is protected," it said.
The ACSC has issued a public warning and has recommended organisations "update antivirus and other security tools".
"There is some evidence that Mailto actors may have used phishing and password spray attacks, and then used compromised accounts to send further phishing emails to the user's address book to spread the malware," it said.
While we don’t know officially how the ransomware was able to breach the Toll systems, usually ransomware works through phishing, sending fake emails to an employee and using social engineering to trick them into providing details such as passwords.
The fact that Toll is still recovering from an attack that happened over 3 weeks ago is a sobering reminder of the impacts that cyber security attacks can have on a business, small or large.
We encourage all of our clients and readers to make sure you are protected from phishing attempts by regularly testing and training your staff so they know what to look out for and what not to click.