Ransomware is back in the news, and not in a good way. We're waiting to hear what the "IT cyber security incident" is that led logistics multinational Toll Group to close down an unspecified amount of systems and customer apps [UPDATE: Toll has finally admitted a ransomware attack is behind its ongoing problems.]
The company isn't saying much apart from saying it is "making progress with our recovery activities to restore our systems and Toll customer-facing applications" but this could be yet another large ransomware attack.
An anonymous source contacted Australian enterprise IT publication ITnews and said over a 1,000 servers had been hit by ransomware. Staff have been told not to switch on desktop and laptop computers, and leave them disconnected from Toll's corporate network.
The ransomware activates on user logins, and has forced Toll to take down its IT systems.
Toll was asked if the security incident is in fact a ransomware attack, and didn't deny it.
The logistics company's IT is managed by Infosys which too declined to provide further details.
If the Travelex ransomware experience is anything to go by, staying quiet on what has happened isn't a great idea for Toll Group and Infosys. If it's not ransomware, they should say so. If it is, sharing information on the attack could help prevent future "cyber security incidents".
Travelex eventually owned up to what everyone suspected was the case, namely that they were hit by REvil/Sodikinobi ransomware from which the forex giant still hasn't fully recovered. We don't know if Travelex paid the ransom or not.
It's fair to say the ransomware situation is getting worse every week, causing massive damage.
REvil for example is being rented out to affiliate ransomware raiders on a colossal scale: Dutch internet provider KPN tracked the REvil attacks it could find over the last half of 2019, and counted a staggering 150,000 unique infections.
Working off the ransom notes it found in REvil samples, KPN estimated the criminals were hoping to extort US$38 million ($58.8m) from victims.
Again, that's just the number KPN could see. It's likely the number of attacks is far higher, but not in Russia or the post-Soviet Commonwealth of Independent States which are off limits for the ransomware.
Ransomware attacks are not just becoming more frequent, they are getting nastier too. As observed last year, ransomware criminals have started stealing data as well as encrypting computers.
Local security vendor Emsisoft has been tracking the Maze ransomware gang, which has attacked a local authority in the United States, medical practices and an accounting firm.
To force companies to pay the ransom, the Maze gang name them on their website. To further "incentivise" the companies to pay, the Maze criminals publish small samples of the data taken from compromised computers.
"It is the equivalent of kidnappers sending a pinky finger," Emsisoft threat analyst Brett Callow said.
No payment means more sensitive data is published, and Emsisoft now says at least five law firms have been hit by Maze in the recent week.
It doesn't take much imagination to realise how serious an escalation publishing sensitive information about people's legal matters on the web is.
Callow said some data has been published in Russian hacker forums with a note to "use this information in any nefarious way that you want".
The Maze gang has started to charge a million for decrypting data and another million to delete it. As Emsisoft suggests, it's highly unlikely criminals would delete data that they can make money out of at a later stage.
Again, it seems ransomware victims are trying to hide that they were attacked, with Emsisoft estimating that only a fifth of companies making a public disclosure.
That seems true, None of the companies hit by Maze that I contacted last month responded, even though the messages went through.
In one case Maze published sensitive data on a company's employees. This included home addresses, banking and insurance data, and drug test results.
The employer didn't tell its staffers who only found out after Callow said he phoned them to make them aware that their personal information was published online.
Keeping quiet like that, whether or not a ransom is paid, is guaranteed to encourage criminals. Ransomware attacks need to be reported.
That, and making sure that you have current backups of all data. The backups need to be stored offsite and offline so that they can't be deleted.
If you feel that the flood of ransomware attacks isn't being taken seriously, you're not alone. Security experts say the situation is totally out of control and ransomware attacks are done pretty much in the open. That has to change, or we'll never see an end to this devastating problem.