ACSC gets to grips with Mailto threat after Toll Group infection

The Australian Cyber Security Centre (ACSC) has released a SHA-256 hash of the Mailto ransomware that infected Toll Group, but says there is “limited information” on the initial intrusion vector and how the malware moved once inside the company's network.

The centre issued its first advisory on the infection late Thursday, after Toll said yesterday it had asked for the ACSC’s assistance.

ACSC said it was unaware whether the attack on Toll Group was “indicative of a broader campaign” using the Mailto ransomware.

“Currently, the ACSC has limited information about the initial intrusion vector for Mailto infections,” it said.

“There is some evidence that Mailto actors may have used phishing and password spray attacks, and then used compromised accounts to send further phishing emails to the users address book to spread the malware.

“There is currently limited information from this compromise on how the malware is spread laterally across a network.

“The ACSC is continuing to monitor the situation and will update this advisory with any additional details.”

As part of its advisory, ACSC released a SHA-256 hash of the Mailto ransomware “from this incident”.

Hashing is a method used in threat intelligence to identify malware and to provide a unique identifier that can be used by others to search for the presence of the malware in their own networks.

Toll Group was forced to shut down many of its IT systems after discovering the ransomware on January 31.

iTnews revealed Tuesday that as many as 1000 servers may have been infected and were being manually cleaned.

Toll Group said Wednesday that it had been infected by a “new variant” of the Mailto ransomware.

The logistics giant indicated recovery efforts were still ongoing through Thursday afternoon, as it approached a week since the infection was discovered.

"As we work through our IT recovery plan in response to the recent cyber attack, our focus is on restoring the relevant underlying infrastructure and fully-automated systems, and on conducting a thorough review of the affected IT hardware including servers, systems and devices," Toll Group said in a new statement.

"In doing so, we are working closely with our cyber security advisers to ensure that any risk associated with this incident has been appropriately managed and neutralised."