Toll Ransomware Attack - The Dark Side of Encryption

Who is Toll and what happened?

On the 31st of January 2020, Toll, an Australian based, internationally operating shipping and logistics company was the subject of a targeted ransomware attack. In response, the company shut down as many as one thousand infected servers, which effectively crippled its IT infrastructure and brought logistics operations to all but a standstill. The company was tight-lipped about the details surrounding the attack and did not release any statements until the 3rd of February, initially, Toll reported, as a precautionary measure in response to the cyberattack, that they had shut down many of their systems.

How did it happen?

The attackers in this situation, exploited a vulnerability in the Citrix application delivery controller, known as CVE-2019-19781. This vulnerability enables unauthenticated attackers to achieve arbitrary code execution, remotely. In other words, they can run commands without logging in with credentials. Once they were able to execute code, the attackers infected vulnerable systems with ransomware called Mailto (Netwalker).

What is ransomware?

Ransomware is a form of malware which, once installed, encrypts all accessible files on the infected computer. After doing so, a message generally appears on the screen, explaining that the victim’s files have been encrypted with a secret key. In order to decrypt the files, the end user must pay a ransom. These ransoms are often demanded in the form of a cryptocurrency, most notably bitcoin, in order to avoid revealing information about the attackers. Often, this malware is accompanied by a countdown until the ransom is increased and a time when the data will become completely unrecoverable. The threat of forever losing the data is a highly likely, since cracking a 128-bit or higher cypher is practically impossible with even the most robust supercomputers. There have recently been many other notable incidents where large companies have had to pay ransoms to retrieve their data; end-users around the world are falling victim to these attacks at an astonishing rate.

Could Toll have prevented this attack?

In short, maybe. Mikhail Klyuchnikov brought the vulnerability to the attention of Citrix, and they publicly disclosed it on the 17th of December 2019. Citrix worked rapidly developing fixes for the vulnerability and released patches for all versions of the firmware by the 24th of January 2020, about a week before Toll was attacked. Given the sheer size of the Toll network, it may not have been possible to rapidly roll out security fixes on such a large scale, without severely hindering access to services. However, what the situation highlights is just how important it is that companies remain vigilant to new Common Vulnerabilities and Exposures (CVEs), and that organizations have efficient procedures in place for rapid security patch management.

What does the attack on Toll mean for everyone else?

With businesses’ ever-increasing reliance on technology and internet connectivity to drive productivity and improve customer experiences, the attack on Toll serves to reinforce the importance of well-implemented, staffed, and resourced cybersecurity teams to the overall viability of businesses. It is no surprise then, that cybersecurity professionals are in such high demand at the moment. With a current shortage of trained professionals, which is only expected to grow, now is a great time to start a career in the field. If you are interested in starting a career in cybersecurity or improving your knowledge and skills, you can choose a tailored tailored career path development courses in all of the major areas of cybersecurity.