Toll Group managing director Thomas Knudsen has described the “humbling” efforts of his staff to keep the company going this week and battle its way through a significant ransomware cyber attack, that has forced its systems offline since last Friday, saying it is making good progress in its recovery, and hoped to be working normally within the next few days.
In a statement to The Australian Financial Review Mr Knudsen, who was a senior executive at Danish logistics giant Maersk when it was hit by a significant ransomware attack in 2017, said the company had isolated the problem and was gradually bringing its systems back up online.
Earlier in the week, Toll disclosed that it had been compromised by a relatively new variant of the ‘Mailto’ or ‘Kazakavkovkiz’ ransomware, and that it was not going to pay the ransom demanded by hackers to unlock its files.
In his first public comments on the cyber attack, Mr Knudsen said it would spend the coming days reinstating back-end hardware and testing key systems both internally and with some customers, before moving to a broader roll-out of normal IT infrastructure.
He admitted the company had been presented with significant challenges, but said it had mobilised quickly and decisively to firstly contain the risk and then to focus on supporting customers.
“These are complex issues and we don’t resile from the fact that not everything’s working perfectly and, at this stage, some customers are still being impacted,” Mr Knudsen said.
“Unfortunately, no organisation is immune from cyber attack. The response from our teams across all of our operations has been immense. It’s hard not to be humbled by the way they’re facing into the challenge to look after and support our customers.”
On Thursday, the Australian Signals Directorate warned companies in all sectors to ensure their cyber security defences are up to date and that they have effective disaster recovery plans in place, following the Toll attack.
Its Australian Cyber Security Centre (ACSC) published an advisory notice about Mailto, saying it currently had only limited information about the initial way Mailto infected victims and how it then spreads across a network.
“There is some evidence that Mailto actors may have used phishing and password spray attacks, and then used compromised accounts to send further phishing emails to the users address book to spread the malware,” it said.
Phishing refers to the practice of sending spoof emails that tricks a computer user into clicking on a compromised link and letting the malware loose.
The ACSC published a so-called hash of the Mailto ransomware, which acts as an identifier and helps other organisations to scan their systems and see if it is anywhere on their network.
“The ACSC’s primary recommendation for detecting and preventing the spread of the Mailto ransomware is to update antivirus and other security tools,” the advisory note said.
It went on to advise organisations should regularly patch their operating systems to ensure security defences keep up to date with the changing nature of malware attacks and that they keep daily isolated offline backups of their network to allow recovery in the event of the widespread deployment of ransomware.
Cyber security experts said the Mailto variant had been known in the industry since the start of February, so Toll’s cyber defences should possibly have stopped it. However it was possible that the malicious actors had gained access prior to that realisation.
“On average, data breaches can go undetected for 197 days and I consider it unlikely that Toll’s defenses were obscure or ineffective. Their response and communication clearly shows that they have an incident response plan in place and are working collaboratively with experts such as the ACSC,” strategic cyber security expert Shannon Sedgwick said.
“Another indicator of that preparedness is that Toll have opted not to pay the ransom to gain access to their data. Typically, only organisations that have a robust incident response plan and regular data backups could afford to make that decision.
“Based on the information available, I believe they made the right decision. There is no guarantee that if a ransom is paid that the malicious actors will release your data or remove themselves entirely from the network.”
Mr Sedgwick said most ransomware attacks were severe and those criticising Toll’s response should be aware that it takes a long time to rebuild data and systems from backups, while ensuring that the rebuild is free from the malware.
“It is more than fair to say that this type of attack could happen to any business, and does so regularly,” he said.
“There is a recurring trend in data breaches where there is usually human error involved, typically the opening of a phishing email or link that allows the hacker’s payload to propagate through their systems.”
Threat analyst at cyber security firm Emsisoft Brett Callow said most antivirus solutions already repelled Mailto, so he suspected Toll’s network had been so badly compromised that the attacker had been able to disable its security solutions.
“This won’t have any impact on Toll’s ability to recover, at this point, it is what it is,” Mr Callow said.
“But it would explain why the attack may have succeeded, because most anti viruses detect this variant, so the anti virus had likely been stopped somehow.”
A Toll spokesperson said a thorough investigation was ongoing to understand how security measures were bypassed in order to deploy the ransomware.
Did You See This CB Softwares?
37 SOFTWARE TOOLS... FOR $27!?Join Affiliate Bots Right Away
Meanwhile, Toll said it had needed to put in place temporary changes to the way it handles staff wages. While Toll employees are continuing to receive their ordinary base pay, for additional entitlements such as overtime, it has added an additional pay run.
“While we’re under business continuity processes, these additional payments are being paid in arrears on a weekly basis. At the point that all systems are back online, payroll process will revert to our normal automated systems,” the spokesperson said
“During this time, we have allocated specific resources to work with employees who might be facing financial hardship. This is in addition to other support programs we have in place to assist our people through this period.”
In addition to its delivery business, Toll Group also has a contract through its Remote Logistics division, to operate the Christmas Island Airport on behalf of the government.
Asked if the cyber attacks had hampered operations there during the evacuation of people to be quarantined for coronavirus, the spokesperson said there were no problems.
“Following the recent cyber attack, Toll’s operations at Christmas Island Airport have been running as normal with minimal disruption,” they said.
Paul Smith leads the The Australian Financial Review’s technology coverage and has been a leading writer on all areas of the sector for almost 20 years. He covers big tech, how businesses are using technology, fast growing start-ups, telecommunications and national innovation policy. Connect with Paul on Twitter. Email Paul at firstname.lastname@example.org