Freight giant Toll confirms second ransom attack

Updated: A new form of malware is behind a ransom attack on freight and courier firm Toll, writes Jim Kayes

International freight company Toll Group has confirmed its IT systems have been attacked and ransom demanded by hackers - but says it will not pay and is finding work arounds to keep freight moving in Australia and New Zealand.

Toll advised customers it shut down systems because it detected unusual activity on its servers.

"We can confirm that this activity is the result of a ransomware attack," it said in an email.  "Working with IT security experts, we have identified the variant to be a relatively new form of ransomware known as Nefilim.

"This is unrelated to the ransomware incident we experienced earlier this year. Toll has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network."

The Toll shutdown of systems comes after a trans-Tasman logistics company was also the target of a ransomware attack in March and New Zealand meat company Affco experienced significant issues with its IT systems last week.

Toll Group, a $9 billion company which operates at 1200 locations in 50 countries and employees 44,000 people, said: "We are in regular contact with the Australian Cyber Security Centre (ACSC) on the progress of the incident.

"In New Zealand, while our Global Express operations were affected initially by the incident, the team, with the support of Toll’s New Zealand-based technology partners, has been able to reactivate the customer portal and customer support lines, thereby limiting any impact on customers."

Toll is the largest domestic customer for New Zealand Rail and is a $300 million business with 800 staff and 600 owner drivers in New Zealand .

For 36 hours from Monday morning its systems were offline in this country, leaving staff to process bookings manually.

A leading cyber expert says the attacks aren’t a surprise as the criminals behind them seize on topical issues like Covid-19 to lure people to false websites and launch their attacks.

“It’s sophisticated stuff and it’s big business,” NortlonLifeLock’s cyber security expert Mark Gorrie says. “It’s organised crime and it’s so profitable that the criminals invest heavily in their resources.”

A worker at a Toll centre in New Zealand confirmed to Newsroom on Tuesday its usual IT systems had been offline since Monday morning and staff were using the external gmail system to communicate.

It comes at a bad time on both sides of the Tasman as people are relying heavily on couriers for food and other essential deliveries from online purchases during the Covid-19 lockdowns.

Customers in Australia are greeted by this message when they try to log into the MyToll homepage.

Toll Group was targeted in a ransomware attack in February that took more than a month to fix.

Toll’s boss, Thomas Knudsen, told The Australian Financial Review after that attack the complexity of Toll’s online systems meant it took more than five weeks to get back online.

“You can't underestimate the scale and complexity of a cyber attack of this kind on a business as big as ours," Mr Knudsen said.

He warned other companies should expect to be attacked too. It was important they didn’t given in to ransom demands

"We had discussed this before it happened and have a clear position that, according to our values, we don't believe that we should be paying a ransom, as we think it is wrong to pay criminals for this," Knudsen said.

"If we did, it encourages this type of crime and therefore I think you almost have a duty not to pay ... Also, even if you pay the ransom you don't know whether they will actually share the code, or restore data and the devices, so it isn't even a guaranteed solution."

Australia and New Zealand logistics provider Henning Harders was attacked last month with ransomware criminals threatening to publish information stolen from the company on the web.

Henning Harders took its cargo tracking system down when the company "became aware of unusual activity on our systems which appears to be the result of an organised attack”.

Some customer commercial data may have been accessed, Henning Harders said, but there was no evidence it had been misused.

Ransomware criminals Maze claimed responsibility for the March 15 attack but has not published any of the data that might have been taken.

Attack targets can be big companies and everyday shoppers, with a NortonLifeLock poll showing 59 percent of Kiwis had suffered a cyber attack and almost a third had suffered financially, with an estimated loss of $108 million in the past year.

“They are harvesting credit cards,” Norton’s Gorrie says, adding opportunistic criminals take advantage of crises like Covid-19.

This sees the criminals using fake online shopping sites, or links to track the virus’ spread, or for a vaccine as a way to lure people to bogus sites with malware on them.

Natural disasters are also used to entice people looking to make donations to click on real-looking charity websites that are, in fact, criminal.

From the small attacks on credit cards to the big ransom demands, money is at the centre of the attacks and sometimes it takes just one click on a work computer for the virus to bring down a whole system.

In Australia, Toll Group’s customer-facing systems like MyToll - the system used to book, track and trace deliveries, have been taken down.

In New Zealand that system is and that too was offline on Tuesday.

* Made with the support of NZ on Air *

Help us create a sustainable future for independent local journalism

As New Zealand moves from crisis to recovery mode the need to support local industry has been brought into sharp relief.

As our journalists work to ask the hard questions about our recovery, we also look to you, our readers for support. Reader donations are critical to what we do. If you can help us, please click the button to ensure we can continue to provide quality independent journalism you can trust.

With thanks to our partners