Australian logistics giant Toll Group reverted to manual systems after a ransomware attack on part of its IT network last week, as the company liaises with government cybersecurity experts and works to restore its systems.
The government’s Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) issued a warning yesterday for companies to update their cybersecurity and detection software scanning for malicious indicators to deal with the ransomware, known as ‘Mailto’ or ‘Kazakavkovkiz’. Mailto belongs to the KoKo ransomware family and locks files in an unusable ‘mailto’ format.
“The ACSC has limited information about the initial intrusion vector for Mailto infections,” the organisation wrote.
“There is some evidence that Mailto actors may have used phishing and password spray attacks, and then used compromised accounts to send further phishing emails to the users address book to spread the malware.”
The ACSC released the hash of the Mailto ransomware in its Indicators of Compromise.
Toll detected the attack last Friday, January 31, and immediately isolated and disabled some systems to contain any potential spread of the attack. The company said it had increased staffing to help customers and a combination of automated and manual processes for the affected IT systems had seen freight volumes are returning to usual levels.
The logistics company has been providing daily updates as it restores systems, saying the attack came from “a new variant of the Mailto ransomware”.
“We are working closely with our cyber security advisers to ensure that any risk associated with this incident has been appropriately managed and neutralised,” Toll said on Thursday, apologising for the inconvenience.
“Regretfully, some customers are experiencing delays or disruption while we work towards bringing our regular IT systems back online securely. Our teams across our operations are working with affected customers.”
The company did not pay the ransom demanded by the hackers.
The attack on Toll came a month after foreign currency exchange firm Travelex was forced to take its global sites offline following a ransomware attack discovered on New Year’s Day. The problems rolled through to British banks last week with the Royal Bank of Scotland, Lloyds, Barclays and HSBC unable to process foreign currency orders. The problem has also hit some Westpac and Bendigo and Adelaide Bank customers in Australia.