Toll Group says a fresh ransomware attack is "unrelated" to one that took many of its systems offline between late January and early March this year.
The company faces the fresh attack at a time when it has asked staff to work four-day weeks as a Covid-19 cost-saving measure. And when a new chief information officer, King Lee, is just getting his feet under his desk (Lee's predecessor, Francoise Russo, left at the end of March; Toll says her departure was unrelated to the New Year security breach).
• Kiwis lose $1m to sim card scam
Still, security experts say Toll's experience with the earlier attack should help it recover its systems this time.
And while the second breach of the company's systems within weeks is an embarrassment to the company's technology partners, who include NZ's Datacom, Toll chairman John Mullen has also dropped a heavy hint that the first attack was the result of human rather than technical frailty.
Mullen, who is also the chairman of Telstra, told the AFR on March 10, "I've certainly learned a terrible lesson from this last month or two, you think you're pretty robust and have been audited and have the certificates and all these things so you can tick the box, [but] you are vulnerable."
The chairman said around 50 per cent of Toll's systems were in the cloud "and they were the worst hit."
But he also heavily implied that the Russian hackers suspected of being behind the attack got to Toll through one of its employees.
"It is an element of human behaviour that creates these entry points or the chink in the armour, it is rarely the actual firewall that didn't work," Mullen said.
"People somehow get access to a master password, whether it's via guile or whether it's through criminal activity or bribing. They will use human weaknesses to get around the system."
'Doxing' is new go-to-tactic
Asked if "human weakness" had been formally identified as the factor behind the first attack, and if so what action was taken, a Toll spokesman said, "We are not able to provide any information on this given the inherent sensitivities involved in making details public to perpetrators of such attacks."
However, a report released overnight by security company Eset picked up on the human frailty scheme. It says that during the first quarter, ransomware attackers "added doxing as their new go-to tactic.
Doxing is the practice of blackmailing someone by threatening to make compromising information about them available on the internet.
Why weren't defences tightened?
Regardless of whether a rogue staffer or a technical vulnerability did Toll manage to get hit again, just weeks after Russian ransomware attackers demanded a "hefty" amount of money to unlock its systems?
Last night, the spokesman would only say, "We don't have anything on that at this stage, except to point out that the ransomware variant is different to the last one and that the two incidents are unrelated."
The January attack saw what was thought to be a Russian group hijack Toll's systems using "Mailto" ransomware, also known as "Kokoklock."
"Working with IT security experts, we have identified the variant to be a relatively new form of ransomware known as Nefilim," a Toll spokesman said.
Deja vu all over again
As with the earlier attack, Toll staff have had to resort to using their own computers, Gmail addresses and manual processes to keep the transport and logistics giant running over the past 24 hours.
Late yesterday, the Japan Post-owned, Melbourne-based company, which has operations in 50 countries - including New Zealand, where it has 600 vehicles - confirmed it had been hit by a second ransomware attack.
It was working with customers to minimise disruption, it said, but it expected manual workarounds to be in place for at least the remainder of the week.
"In New Zealand, while our Global Express operations were affected initially by the incident, the team, with the support of Toll's New Zealand-based technology partners, has been able to reactivate the customer portal and customer support lines, thereby limiting any impact on customers," a spokesperson said.
"Toll has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network."
The company would not immediately name its NZ-based technology partners, but Datacom features its work for Toll in a 2020 case study.
Datacom, which had no immediate comment, can at least take succour from the fact that Toll's NZ systems appear to have had suffered limited impact from the latest attack.
Hospitals spared during pandemic
There have been a number of high-profile ransomware attacks recently, including the January attempt to extort $8.5m from UK-based Air New Zealand foreign exchange partner Travelex (which, like Toll, chose to grind out a multi-week rebuild of its systems rather than pay up; no Air NZ service was affected).
Eset says at least US$140 million has been paid to ransomware attackers over the past six years, according to a February 2020 FBI presentation that tracked bitcoin movements associated with attacks.
Eset's Q1 report notes one positive, however: A number of ransomware "families" have released public statements promising not to target health or medical organisations so as not to worsen the effects of the pandemic.
What to do if you're hit by ransomware
New Zealand businesses or individuals hit by a cyber-attack are advised to contact Crown agency CERT (the Computer Emergency Response Team) as their first step.
CERT acts as a triage unit, pointing people to the right law enforcement agency or technical contacts.
CERT director Rob Pope and police both advise against paying up on a ransomware demand, even if the sum involved is modest.
They say there is no guarantee that data will be returned, or unlocked. They also caution that while paying a small ransom can be convenient, the money can help fund Eastern European gangs who are also involved in the likes of drug and human trafficking.