Toll Group continues to suffer delays, and some systems are still offline, a week after it was it by a ransomware attack that saw hackers seize control of some of its data.
But the transport and logistics giant has no intention of paying up.
"The ransom demand [for return of data] did not specify a figure. It did provide contact details for Toll to arrange a ransom payment," a company spokeswoman told the Herald last night.
"But we've made no contact with the attackers and have no intention of engaging.
"We are treating it as a criminal matter and have referred it to the relevant authorities."
Police and Crown agency CERT NZ both recommend against paying a cyber-ransom, on the basis there's no guarantee data will be released. They also see it encouraging further offending and often helps fund organised criminal networks also involved in everything from drugs to human trafficking.
However, IT lawyer Michael Wigley earlier argued that when a ransom is low, it's worth shot - and even that company could have a duty of care to retrieve clients' data.
More details of attack
The Toll spokeswoman also revealed the company was hit by a variant of the "Mailto" ransomware attack, whereby data is encrypted and a payment is demanded to make it readable again.
That backs up the company's earlier statements that no customer data appeared to have been stolen, as is sometimes the case with a ransomware attack (such as the recent Travelex heist).
"Based on a combination of automated and manual processes instituted in place of the affected IT systems, freight volumes are returning to usual levels," the spokeswoman said.
"Notwithstanding the fact services are being provided largely as normal, some customers are experiencing delays or disruption.
"We're working to address these issues as we focus on bringing our regular IT systems back online securely."
The Melbourne-based Toll operates across 50 companies, including New Zealand and China - and is running some of its systems on manual at a time when it's also grappling with complications caused by the coronavirus.
After the initial attack, the company posted a message to its locl website saying, "Toll Global Express New Zealand has lost use and access to its email exchange."
A warning beside a log-on screen for Toll's online portal read, "Toll Group is currently experiencing a suspected cyber attack." Customers were asked to confirm bookings by phone.
The message added: "We would ask that you hold any non-essential freight movements for today."
Travelex back online
January 8 saw currency exchange firm and Air New Zealand partner Travelex forced offline after a ransomware attack, during which five gigabytes of customer data was stolen, including dates of birth and credit card information.
The BBC reported a US$6 million ransom demand as Travelex resorted to pen-and-paper.
Travelex went back online on January 28. Reuters quoted the company saying it had not paid any ransom.
What to do if you're hit by ransomware
New Zealand businesses or individuals hit by a cyber-attack are advised to contact Crown agency CERT (the Computer Emergency Response Team) as their first step.
CERT acts as a triage unit, pointing people to the right law enforcement agency or technical contacts.
CERT director Rob Pope declined to comment on whether his agency had been approached by Toll.
"Because of the sensitive nature of the reports made to CERT NZ, we never confirm or deny our involvement with any particular incident," he said.