Two weeks ago, Australian logistics company Toll fell victim to a targeted cyberattack that brought transport operations to a standstill. The ransomware infection forced Toll to shut down a significant portion of their critical IT infrastructure – as many as a thousand servers – to prevent further spread of the malware. 
It was discovered that the ransomware in question is known as “Mailto” or “Kokoklock”. Like most ransomware, Mailto encrypts as many files as it can on a system, making them unusable, then prompts the user to follow instructions if they wish to access the files again. This process usually involves paying a ransom to the attacker, typically in the form of cryptocurrency or a digital funds transfer to a foreign bank account. Upon paying the ransom, the attacker may then choose to honour the ransom, and give the victim the key to decrypt the files. There is also a chance that the attacker does not keep their word, but instead disappears with the funds and the decryption key, leaving the victim penniless and without access to critical files, particularly if backups did not exist.
Following the infection and the forced shutdown of servers, many of Toll’s logistics operations came to a halt, causing significant frustration with customers. The company issued a statement on Friday 31st January that they were suffering the effects of a “cyber security incident”. Tracking and pickup systems were offline during this period. Following this, Toll issued statements that it had begun working to restore services. Many customers had deliveries that were missed or delayed, without access to the online tracking in order to find the shipment’s location.
Toll assured customers that no personal data had been lost as a result of the attack, and that continual monitoring of data will be carried out into the near future. It has not been made public what defensive measures were in place to protect against a ransomware attack, though the successful restoration of services in the last week has made it apparent that system restorations from backups had been utilised.
According to Corey Nachreiner, Chief Technology Officer at WatchGuard Technologies, given the targeted nature of this attack it is likely that the attacks used several other techniques to gain access to private systems and networks using stolen user credentials in order to bypass security controls to install and spread the ransomware.
Businesses in Australia are at a greater risk than ever of falling victim to a severe ransomware attack. Strong user authentication practices such as multi-factor authentication, and strong password policy and security culture is critical to defending against such ransomware attacks, especially those that are targeted. In addition, in the event of a ransomware attack, a strong and regularly tested backup solution is one of the very few ways that files can be recovered without paying the ransom.
Organisations that rely on IT infrastructure for everyday business are most at risk, and Agilient’s expert consultants can help your organisation defend itself from today’s constant ransomware attacks. Every organisation is at risk, no matter the size. In fact, smaller businesses are most at risk of significant financial downfall in the event of a cyber-attack. If you’d like to know more about how we can help you protect your organisation, contact us today.
Author: Jack Schofield, Agilient Consultant