Australian shipping giant Toll informed customers on Tuesday that it has shut down some IT systems after discovering a piece of ransomware. This is the second ransomware incident disclosed by the company this year.
Toll said it discovered the ransomware after seeing unusual activity on some servers. An investigation revealed an infection with Nefilim ransomware, a fairly new threat that has been linked to the Nemty ransomware.
The company says it does not plan on paying any ransom demands and claims it has found no evidence that data has been exfiltrated from its network. However, Bleeping Computer reported in March that Nefilim authors do claim to steal data and threaten to make it public unless they are paid.
Toll has shut down its MyToll portal as a result of the incident and the company is currently working on cleaning affected systems and restoring files from backups. The company says it’s using manual processes to continue providing services, but some customers have reported delays or disruption.
In an update shared on Wednesday, Toll said freight shipments and parcel deliveries are largely unaffected, and the company revealed that it’s prioritizing the delivery of essential items, such as medical and healthcare supplies needed during the COVID-19 coronavirus outbreak.
“We’re working closely with our large enterprise customers whose services are affected and, for our SME customers and consumers, we’re providing updates on work-around processes through our digital and social channels including Toll’s company and MyToll websites,” Toll stated. “We expect to maintain current business continuity and manual processing arrangements through the week, and we are in regular contact with the Australian Cyber Security Centre (ACSC) regarding the investigation and recovery process.”
This is the second time Toll has been hit by ransomware this year. The company previously found Mailto ransomware on some systems in late January, but says the incidents are unrelated. The earlier incident reportedly impacted operations in Australia, India and the Philippines, with some unconfirmed reports claiming that the malware had infected over 1,000 servers.
Owned by Japan Post, Toll has over 40,000 employees and claims to have a global logistics network that spans across 1,200 locations in more than 50 countries.