Toll ‘Mailto’ attack part of targeted ransomware trend

Targeted attacks on enterprises more lucrative than spray and pray

Ransomware  >  An encrypted system, held ransom with lock + chain, displays a dollar sign.
Tomas Knopp / Getty Images

Toll Group has confirmed it is the victim of what it has described as a “targeted ransomware attack”.

The company said that it had been hit by a new variant of Mailto ransomware, and in a statement said that it had shared samples with law enforcement, the Australian Cyber Security Centre, and cyber security organisations “to ensure the wider community is protected”.

“There continues to be no indication that any personal data has been lost as a result of the ransomware attack on our It systems,” a statement from the company said.

“We continue to monitor this as we work through a detailed investigation.”

The logistics company first detected the security incident on 31 January and as a precaution shut down a number of its systems.

The company disabled some of its systems and resorted to a combination of manual and automated processes, which led to some delays across its network.

“As part of the roll-out of business continuity measures in response to the recent cyber-attack, many of our customers are now able to access our services across large parts of the network globally including freight, parcels, warehousing and logistics, and forwarding operations,” the company said in an update released late on 5 February.

“Based on a combination of automated and manual processes instituted in place of the affected IT systems, freight volumes are returning to usual levels.”

“We have also increased staffing at our contact centres to assist with customer service,” the statement said.

“Notwithstanding the fact services are being provided largely as normal, some customers are experiencing delays or disruption and we’re working to address these issues as we focus on bringing our regular IT systems back online securely.”

In 2019 number of security firms noted a significant rise in ransomware attacks targeting enterprises.

The latest McAfee Labs Threats Report (PDF), released in August, revealed that in the first quarter of 2019 the company had observed an 118 per cent growth in ransomware attacks. That increase “included the discovery of new ransomware families utilizing new, innovative techniques to target and infect enterprises”.

Larger organisations can be a lucrative target for the actors behind the ransomware campaigns, the report said.

“The McAfee Advanced Threat Research team gathered technical details and techniques through research of more than 22 targeted attack campaigns,” the report said.

“Analysis of these details shows threat actors are going after bigger fish, and they continue to use user execution and spear-phishing attachments in attacks.”

“Cybercriminals are finding new and innovative techniques to rapidly target and infect enterprises,” Joel Camissar, McAfee’s regional director, MVISION Cloud, Asia Pacific, told Computerworld in an email.

“Spear-phishing attacks aside, ransomware attacks are increasingly gaining access to organisations that has open and exposed remote access points, such as Remote Desktop Protocol (RDP) and virtual network computing (VNC). RDP credentials can be cracked through a brute-force attack or bought on the cybercriminal underground.”

Camissar said the rise of ransomware targeting businesses highlighted the importance of “cyber resilience”.

He cited the McAfee Cyber Risk & Resilience (MCRR) report, which found Australian organisations cited ‘culture, education, and awareness’ as the lowest investment priority to improve cybersecurity maturity, “which can ultimately impact the level of cyber resilience, and there’s clearly much work to be done to change the emphasis that Australian organisations place on cybersecurity education and awareness in the workplace.”


Copyright © 2020 IDG Communications, Inc.

Shop Tech Products at Amazon