Toll Group hit by "new variant" of Mailto ransomware

Toll Group says it has been hit with a “new variant” of ransomware known as Mailto or Kokoklock, and that samples have been provided to the Australian Cyber Security Centre and other researchers.

The logistics company has been suffering the effects of the infection since Friday last week, when it was forced to shut down much of its IT infrastructure to prevent the malware from spreading.

The ransomware is believed to have infected as many as 1000 servers, including Active Directory.

“The ransomware that has affected Toll is a new variant of the Mailto ransomware,” the company said in an update Wednesday.

“We have shared samples of the relevant variant with law enforcement, the Australian Cyber Security Centre, and cyber security organisations to ensure the wider community is protected.”

Mailto appends random extensions to file names, making them unusable. It first appeared in around September 2019.

Toll indicated that it was starting to recover from the attack, saying that “many of our customers are now able to access our services across large parts of the network globally including freight, parcels, warehousing and logistics, and forwarding operations.”

“Based on a combination of automated and manual processes instituted in place of the affected IT systems, freight volumes are returning to usual levels,” it claimed.

“We have also increased staffing at our contact centres to assist with customer service.”

However it noted there were still delivery delays being felt across its global network.

“Notwithstanding the fact services are being provided largely as normal, some customers are experiencing delays or disruption and we’re working to address these issues as we focus on bringing our regular IT systems back online securely,” Toll said.