Investigating the Toll Cyberattack: Lessons for Your Business
You would think that one of Australia’s largest freight companies would be fully prepared for any cyber attack coming their way. Supply chain and logistics companies are particularly at risk of cyberattacks due to the various links and handovers involved in their businesses, as well as being a required nationwide/worldwide service. However, it all came to a head for Toll after suffering what has been pinned as “the most significant (attack) in corporate history” – a ransomware attack that left Toll scrambling to keep up.
Toll is the shippers behind some of the world’s most well-known brands in Australia, such as Telstra, Nike, Optus, and Footlocker. The effects of the ransomware attack on the company meant that Toll was required to pay penalties to customers for failing to fulfil terms of their ongoing contracts, significant delays in recovering their systems, manual workarounds, and reputational fallout from the incident – including customers moving over to their competitors such as DHL or even Australia Post.
The deadly Mailto or Kazakavkovkiz ransomware
The malware at the centre of the crisis is named Mailto or Kazakavkovkiz, a variant of the KoKo ransomware family. The malware weaves a complex web of deception through malicious attachments, delivered by email spam and insecure RDP configuration, which ultimately ends up with AES encryption being performed on all files across the corporate network. Similar ransomware has popped up in various places around the world, such as a public health agency in central Illinois.
Once encrypted, a ransomware notice is posted to the affected, with email addresses to contact in order to pay the ransom, and a code to send the attackers to let them know of the particular business entity that has been attacked.
In Malwarebytes 2020 State of Malware report, the findings show that while ransomware attacks decreased since 2018, the new wave of more advanced ransomware families increased by more than ever before. More worrying, these attacks were at the centre of some of the most high-profile cyberattacks of the year – specifically targeting high-value companies.
Why is ransomware such a problem for businesses?
The issue with ransomware is that it means files and systems are no longer accessible to the business. Everything is encrypted and you don’t have the lock to decrypt it. This is what the ransomers want you to do – give them the funds, usually payable in Bitcoin, and they will hand over the key to your systems and everything will be back to normal. If not, your systems are encrypted forever.
The ransomers will generally hand over the key upon payment (which can reach six figures), however even this is not guaranteed. Many companies choose to hand over the ransom, simply as they aren’t able to operate without their systems (despite staggering financial blows), however those that can’t afford it, or don’t get the key in return, can face significant issues.
While “big fish” targets like Toll are a popular choice for ransomers, due to their large pool of funds, ransomware attacks can happen to anyone, from large enterprises, through to small businesses, and even personal computers.
Ransomware can be even more serious than encryption. The Jigsaw variant of ransomware from 2016 saw files deleted for every hour that the ransom wasn’t paid.
So what went wrong for Toll?
Toll found out about the issue on 31st January 2020, when the company “moved quickly to disable the relevant systems and initiate a detailed investigation to understand the cause and put in place measures to deal with it.”
The effects caused delays and breakdowns in regular working systems, including customer-facing applications. The Australian Cyber Security Centre was swiftly notified of the incident. The ACSC notes that the attack may have used phishing techniques (which may in cases be preventable by using advanced spam protection) and password spray attacks which try and guess organisational passwords.
There are a few mentalities that you can take with ransomware – pay up and take it on the nose, don’t pay and potentially rack up larger costs to fix the issues (such as when the Robbinhood ransomware ended up costing Baltimore $18M+ instead of the ransomware fee), or hope that your cyber insurance (if you have it!) covers one or both of these events.
Toll ended up not paying the ransomware, and the effects of the decision are still being felt two months later, with some systems still not back fully operational.
However, Toll has been cautious in their approach, bringing back systems bit by bit, in a controlled approach. Thankfully, they had failsafe measures in place to help prevent complete systems meltdown, even if the effects are still ongoing.
Lessons every business can learn from the Toll incident
Remember, cyberattacks happen to everyone
Whether it’s ransomware, malware, data theft, or other types of cyberattacks, they can and will happen to you – whether you are a small business or a large enterprise. No matter their size businesses need to have a “not if, but when” mentality. You can not afford to put your head in the sand and just hope that you will avoid it. Ensure you have robust business continuity plans in place, so that you are prepared when it does happen.
If you don’t pay the ransom, your business will take a hit, but…
If Toll had paid the demanded ransom from the attack, perhaps they would have been back up and running in mere minutes or hours – this could have been viewed as a mere blip in the system. If you do pay the ransom, however, there is no guarantee it will work, or attackers won’t try again and up the ransom.
Have an incident response plan in place
It is clear that Toll obviously had an incident response plan in place that dictated that they would not pay or negotiate with ransomers. Instead of scrambling, knowing what to do should your organisation be hit with a ransomware (or other cyberattack) is extremely important. Have a plan in place that you are able to follow, step by step. Risk mitigation is just as important as risk aversion.
Use a secondary mirror system
Secondary mirror systems of all critical infrastructure that is separate from your main operational systems are highly, highly recommended. These may be daily, hourly, or weekly backups (depending on your business), and must be completely separate from your operational systems, so they cannot get infected. These may be stored off-site in a different location, or on a different cloud provider, etc.
Have workarounds in place
Toll worked hard to pick up the slack and put in manual systems to fall back on when the incident occured. Yes, this may mean bringing on a whole team of call centre staff, using competitors to help pick up the slack, etc.
Paying a ransom doesn’t mean you’ll get your systems back
To pay, or not to pay? That’s really up to you. If you don’t have the right contingency plans in place in the event of a cyber emergency, you may be forced to pay the fine to avoid crippling your business for good. Planning for the future (plus cyber insurance) is a better plan, however, it depends what state your business and systems are in to begin with.
Use caution when bringing systems back online
Like Toll, bringing back systems one at a time, first in a sandboxed environment, with careful monitoring, can help to ensure that the effects of the cyberattack don’t poison the systems coming back online. Being overly cautious is extremely important when you are in this stage.
Have an incident team ready and dedicated to reputation damage control
Yes, cyberattacks are likely to do reputational damage to your business. You may lose clients either temporarily or for good. Swift and transparent responses from management are critical, as is a team of dedicated PR professionals who are able to help with reputational fallout, customer support, managing your socials and the news cycle, etc.
Ensure scalable customer support in times of crisis
Toll required the use of a phone team instead of their usual online booking portal when systems went down. When your customers are unable to access what they need, you will need scalable support to help them with their problems. This may be a trained support crew on hand to augment your usual staff contingent.
Report attacks to the authorities
It is important to report cyberattacks to the authorities – The Australian Cyber Security Centre – as well as do due diligence by reporting within the mandatory time frames in the event of a notifiable data breach, by law.
Share incidents with the wider community
Spreading the word among your fellow community members will ensure camaraderie and safety in numbers in the future; you will be seen as trustworthy and helpful as an organisation.
Need help with security plans, cyber insurance, or cyber risk management?
A1 Technologies is dedicated to helping organisations combat the threat, and sadly, inevitabilities, of a cyberattack. We can help with planning, through to technology and customer service support contingency plans, email filtering solutions, bolstering network security, investigating the best cyber insurance, and being your go-to helper in the event of a cyber emergency.
Get in contact with us today to learn how to protect yourself and build your company’s data and systems like a fortress – with a back up plan of course.
Acknowledgement to macrovector_official.
Subscribe to our newsletter
Enter your email and stay in touch with the latest updates from A1.
You might also like…
- When it comes to integrating cloud infrastructure (e.g. Microsoft Cloud) into your operations or enhancing your existing setup, it’s pretty easy to become...
- When you’re thinking about converting your legacy systems to G Suite or Office 365, one of the most important bullet points on your...
- Hybrid workplace models are changing how and where we used to work as traditional tools fail to meet the new demands of the...