Toll Group tight-lipped on alleged ransomware attack

Toll Group is staying tight-lipped on what appears to be a large-scale ransomware attack that has infected a sizable part of its IT infrastructure.

The logistics giant first reported that it was suffering from the effects of a “cyber security incident” on Friday last week.

That continued into this week with pickup and tracking systems, including its MyToll portal, offline. 

Read the latest: Toll Group hit by "new variant" of Mailto ransomware

A support line for MyToll reached by iTnews on Monday afternoon said it was “closed” and to email instead.

The company said in a statement that “as a precautionary measure, in response to a cybersecurity incident on Friday, Toll deliberately shut down a number of systems across multiple sites and business units.”

“Toll IT teams are working closely with global cyber security experts to resolve the issue,” it said.

“Our immediate focus is on bringing our systems back online in a controlled and secure manner.”

A source with knowledge of the incident told iTnews that the company has been hit with a sizable ransomware infection that is impacting global operations.

The source said that over 1000 servers had been infected, and that staff worldwide had been told to leave desktops and laptops switched off and disconnected from the corporate network.

The source said Active Directory, productivity and corporate VPN applications were among those infected and taken offline.

This appears to mesh with other reports of the incident sighted by iTnews, which claimed ransomware had infected systems in Toll’s main data centre; that the company had no IT systems operating; and that it was in the process of manually cleaning servers in an effort to bring them back online.

iTnews put its understanding of the incident to Toll Group’s media representatives on Monday. 

The company responded with a prepared statement that did not address any of the points.

It did not further respond to follow-up emails and calls made to several media representatives.

Toll Group’s IT operating model includes a sizable workforce outsourced to Infosys.

An Australian spokesperson for Infosys declined to comment on the incident, including whether its teams were involved in the recovery.

“As a matter of corporate policy, Infosys does not comment on client matters,” its spokesperson said.

Toll said it was “making progress” in its recovery efforts.

“Staying focused on customers remains at the forefront of Toll’s priorities as we restore our services and we sincerely apologise for any inconvenience caused,” it said.

“We want to thank our customers for their patience and support.”

Ransomware has been back in the spotlight in the early part of 2020 with high-profile attacks such as on foreign exchange firm Travelex, which took the best part of a month to recover from. Travelex has refused to say publicly if it paid the $9 million ransom or not.

Total losses from malware can be much more substantial, however. A Petya malware infection cost fellow logistics firm TNT Express $374 million, while staff at law firm DLA Piper put in 15,000 hours of overtime to recover from an encounter with the same piece of malware.