The firm confirmed the attack in an official press release, stating that it chose to safeguard its data by shutting down several systems across various sites. “Toll IT teams are working closely with global cybersecurity experts to resolve the issue” and “making progress with our recovery activities to restore our systems and Toll customer-facing applications,” the release explained.Toll Group shuts down IT systems in response to 'cybersecurity incident' https://t.co/iZkRVKGXWE
— ZDNet (@ZDNet) February 5, 2020
“Cyber Attack” Forces Extreme Measures
The Australian firm, which employs over 40,000 people and maintains operations across the world, abruptly shut down its customer-facing IT systems late last week, claiming in a tweet at the time that it was merely doing it in response to a “cyber incident.” In one of the updates, the firm confirmed that the ransomware used in the attack was a variant of the Mailto ransomware. The firm claimed that it had affected up to 1000 of its servers. Toll Group said it had shared necessary information with law enforcement agencies, and it hopes to restore operations back to normalcy soon.Customers had been complaining about the slow delivery timelines on their packages. To appease users, Toll craved their indulgence as it was now using manual processes to fulfill deliveries. Operations in the Philippines, Australia, and India are reported to have been hit the hardest. However, it confirmed that many of its customers will still be able to access most of its services across large parts of its network around the world.2/2 … As we continue to make progress in restoring customer facing applications and services in the coming days, we will provide further advice on expected timeframes. We will continue to provide regular updates. We sincerely apologise for any inconvenience caused.
— Toll Group (@Toll_Group) February 3, 2020
Mailto Continues to Wreak Havoc
Also known as Kokoklock, the Mailto ransomware attaches random extensions to file names, essentially making them unusable. It was first spotted in September 2019, and while it doesn’t share many features with other deadly ransomware, its singular purpose is to extort money from its victims. Once in a system, the ransomware looks for every file format and encrypts them. Using a Salsa20 cipher, the ransomware attaches a random appendix to data that usually consists of six characters. A random note is also dropped, which advises victims to send an email to a specified address to get their files back.
The attackers usually ask for payments to be made in cryptocurrency, although the exact amount could vary between victims.
Images are courtesy of Twitter, Shutterstock, Pixabay.
Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.