Mailto Ransomware Takes a Toll on Shipping Company

27 Feb 2020

On February 3, Toll Group, an Australian transportation and logistics company, shut down its IT systems as a result of a “cyber security incident.” The organization reported shortly thereafter that multiple sites and business units had been targeted with ransomware attacks. The Mailto or Kazkavkovkiz ransomware affecting Toll Group is very similar to the many variants of targeted ransomware that sophisticated cyber criminals have launched against companies that rely on technology to deliver time-sensitive, critical services or products.

By strategically targeting industries that cannot operate well with any downtime, these criminals maximize the odds that their victims will pay the ransom to recover their services. Healthcare organizationsstate and local government, industrial control systems, and now shipping companies represent ripe targets for these focused ransomware campaigns.

In many cases, the ransomware used in these types of attacks is effective, but not particularly unusual compared to other variants. Proactive, advanced malware prevention solutions that use machine learning or behavioral analysis to catch new threats often detect and block these samples if delivered through the security service. For instance, WatchGuard’s APT Blocker service does detect all the variants of this particular Mailto ransomware that we’ve tested.

However, the sophisticated threat actors launching many of these targeted attacks seem to be breaching networks using presumably stolen, privileged user credentials before loading any ransomware. In that case, they use this privileged access along with legitimate internal management tools to disable and bypass security controls in order to install the ransomware.

The general public still doesn’t know exactly how Toll’s attackers got the ransomware into their system, but if it’s similar to other targeted attacks we’ve seen globally, the best way to protect your organization, and any remote services you use, is to use secure authentication best practices and a multi-factor authentication solution like AuthPoint, along with advanced behavior-based anti-malware services. Toll won’t be the last victim of this type of targeted ransomware attack this year, so now is the best time to shore up your defenses.

Corey Nachreiner, CISSP (@SecAdept)