DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

Toll Group ransomware attack (MailTo variant)

31 January 2020 · Melbourne, Australia
Satellite Imagery © Esri

What happened

On Friday 31 January 2020, Toll Group, an Asia-Pacific logistics and transport company owned by Japan Post with operations across more than 50 countries, became aware that its systems had been infected with ransomware. To contain the spread, Toll deliberately isolated and disabled a range of IT systems across multiple sites and business units. The company described the event as a targeted ransomware attack and identified the malware as a new variant of MailTo, a strain also known as Netwalker. Security researchers noted this was among the first known cases of the variant being used against enterprise-scale infrastructure.

With customer-facing applications taken offline, Toll reverted to a combination of manual and automated processes to keep freight, parcels, warehousing and logistics services running, in some cases at reduced speed. Online booking and tracking were unavailable, leaving customers to place orders by phone, and the company increased contact-centre staffing to manage the disruption. Operations in Australia, India and the Philippines were affected. Unverified claims circulating online suggested roughly 1,000 servers had been encrypted, which Toll did not confirm.

Toll said it had found no evidence that any personal data had been lost and reported the incident to authorities, sharing malware samples with law enforcement and the Australian Cyber Security Centre. According to reporting by the Australian Financial Review, Toll declined to pay the ransom. The company restored services progressively over the following weeks while rebuilding affected systems in a controlled manner.

Assessment

The incident is assessed as financially motivated cybercrime. MailTo/Netwalker is a criminal ransomware family, and there is no credible evidence linking the attack to any state actor; it should not be read as state-directed activity. Its significance lies in demonstrating how ransomware against a single logistics provider can cascade into widespread supply-chain and delivery disruption affecting customers across multiple countries. The attack also illustrated the operational resilience challenges, and crisis-communication difficulties, that critical-infrastructure operators face when forced to revert to manual processes during recovery.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.