Toll admits some of its customers are still suffering delays 18 days after it was hit by a ransomware attack. Not all systems are back online, and the company is also chewing through a backlog created by the initial chaos.
• 'We're not paying up' - Toll Group on day 7 of ransomware attack
• Security: Why your CEO could be your weakest link
• Juha Saarinen: Don't keep quiet about ransomware attacks
• Air NZ service provider Travelex held to ransom by hackers demanding $8.5m
The Melbourne based transport and logistics giant, which has substantial operations in New Zealand, has refused to even communicate with the hackers, let alone pay their (unknown) ransom.
Instead, it is grinding it out, falling back on manual systems for some operations as it slowly restores its systems. An AFR report this morning says customers including Officeworks, Unilever, Adidas and Nike have had to fend off customers angry about delays.
Toll's approach is similar to that taken by UK-based foreign exchange specialist Travelex.
Travelex went offline on January 8 after a ransomware attack saw hackers steal customer data then demand US$6 million ($8.5m) for its return.
The company went back online on January 28. It said it did not pay any ransom.
Toll, which took days to respond to the Herald's queries after its initial attack, revealed on February 7 that it had been hit by the "Mailto" ransomware attack - that is, it had not lost any customer data, but hackers had encrypted it and demanded money for it to be made readable again.
This morning, a Toll spokeswoman said, "We now have many of our customers back online and operating essentially as normal, including through large parts of our global cargo forwarding network and across our logistics warehouse operations around the world.
"And, we're progressively reactivating full services on the MyToll parcels booking and tracking portal. Core systems including email, phones and end-user devices have been tested, restored and are operating as normal."
She added, "For all of that, we know that some of our customers continue to be affected.
"We're working with them and we're doing everything in our power to get them moving as a matter of priority and, importantly, when it's safe to do so.
"We're also turning our attention to the backlog of work that's resulted from the disruption of the past couple of weeks."
Toll can't give an estimated time for the full restoration of its systems.
On Friday January 31, Toll said it had taken a number of (un-named) systems offline as a precaution after a "suspected cyber attack".
An updated message on Monday read, "Toll Global Express New Zealand has lost use and access to its email exchange."
Today, some security experts were saying the ransomware attack could be Australasia's largest ever cyber-attack, though Dean Williams, an engineer at security specialist NortonLifeLock, cautioned that "the situation was unfolding". Although large in scale, there was not enough information at this point to call it the largest ever cyber-heist.
The Toll spokeswoman would not talk about individual customers affected, but did say the freight giant had chosen to err on the side of caution as it tried to assess the attack's impact on some 500 apps.
"Given the potential implications of a ransomware attack of this nature for a business of our scale and geographic reach, we made the considered decision early that deactivating our systems was the prudent thing to do – for our customers and for our people," she said.
"You don't arrive at such decisions lightly, particularly where it involves up to 500 applications that support operations across 25 countries. It's been a deliberately cautious approach that's been pivotal in ensuring we manage, in an orderly and methodical way, the secure reinstatement of many of our platforms."
While there is never a good time for a ransomware attack, Toll was hit just as the first wave of coronavirus disruption hit, and in the middle of a drive to modernise its older software.
The latter should help prevent further attacks.
"While there's still some work to do, we're well down the path of a three-year transformation from legacy systems to a centralised and modernised technology architecture."
What to do if you're hit by ransomware
New Zealand businesses or individuals hit by a cyber-attack are advised to contact Crown agency CERT (the Computer Emergency Response Team) as their first step.
CERT acts as a triage unit, pointing people to the right law enforcement agency or technical contacts.
Ransomware incidents have remained steady since 2017, making up 2 to 3 per cent of total reports receives. In the final quarter of 2019, CERT says it has received 22 ransomware reports.
NortonLifeLock's Williams did not a change in approach, however, Ransomware hackers have switched their focus from trying to extract small amounts from thousands of individuals to targeting individual corporations.
The attacks are mainly targeted at businesses through email attachments or out-of-date software vulnerabilities. Williams says to beware of "phishing" scams or where an email from a hacker closely imitates a real message from the likes of a bank (although often has a slight variation on its actual email address. Remember that your banks and other legitimate third parties will never ask you to send your password by email).
Should you pay up?
CERT director Rob Pope, like the NZ Police, recommends that people or companies hit by ransomware do not pay up.
He says there is no guarantee that data will be returned, and that funds often go to organised criminals who are also involved in hardcore offending in other areas such as drugs and human trafficking.
But when the Wannacry ransomware attack hit multiple countries in 2017, NZ lawyer Michael Wigley said those hit should consider paying up.
Data was returned in some instances, and paying up could be the pragmatic thing to do if a relatively small demand was involved, Wigley said.
He also maintained that giving in could even be the principled path.
"Sometimes paying out could even answer a legal duty. Say A has a duty to protect B's information, such as under a contract, or some other duty, and a ransom leads to a breach of that duty," he told this reporter.