Toll attack shows ransomware is the new normal


A third of the way through the calendar, and it seems 2020 is the year we accept a “new normal”.

For Australian companies, the high-profile ransomware attack against Toll Group should be a particularly sobering wake up call. In a matter that has recently resurfaced, the logistics giant had already been brought to its knees and taken offline for almost a month after hackers successfully locked down its systems with a ransomware variant called Mailto.

The impact of the attack rippled through Australia’s economy with household names like Telstra, Woolworths, Optus, and Nike feeling the consequences after customer shipments were affected.

In a ransomware attack, hackers aim to breach a company’s defences and trick an employee into opening a malicious email that executes a piece of malware which encrypts as much of a business’ data as it can.

The attackers then demand the business pays a ransom, typically in bitcoin or another cryptocurrency, in order to retrieve their files.

These types of attacks are extremely popular amongst hackers because they require little specialised knowledge (complete, ready-to-go ransomware-as-a-service kits are easily available on the deep and dark web), they have debilitating consequences for the victim, and – as the recent Toll breach highlights – they’re often successful.

In fact, according to a new report, it’s estimated ransomware attacks in Australia cost businesses up to $240 million in 2019 alone.

Keep in mind these figures are conservative because it’s notoriously difficult to ascertain the full depth and breadth of attacks across the country.

Regardless, a successful attack can be extremely costly to a business. In 2017, shipping giant Maersk’s operations were scuttled when a ransomware campaign propagating the highly-effective NotPetya strain took hundreds of businesses and government departments offline around the world.

The cost to Maersk’s business alone was estimated to be more than $200 million.

As the Toll attack demonstrates, once you lose access to your data, it’s almost impossible to operate. The ‘open’ sign flips to ‘closed’ until you can regain your data and repair systems. Ask yourself how much of a financial hit your business would take if it couldn’t operate for a month?

While it’s impossible to be completely protected against a ransomware attack, it is entirely possible to ensure your business can get up and running quickly in the event of a breach.

It comes down to two simple words: back up.

Year after year another ransomware strain hits the headlines and year after year the advice offered by experts is the same: continuously back up your business-critical data.

With a comprehensive back up strategy, businesses can turn back the clock and easily restore data to a point in time before the infection occurred. The more frequently snapshots are taken of business-critical data, the quicker the business can return to normalcy.

In June 2016, Queensland-based Langs Building Supplies was infected by the CryptoLocker ransomware after an employee fell victim to a phishing email. Within minutes, thousands of the company’s files were encrypted. Because Langs had a well-defined data management policy and back-up solution, they were able to restore the encrypted data to versions snapshotted just before the attack occurred.

This meant they were able to restore operations in less than an hour without paying the attackers holding their data hostage.

As Matthew Day, Chief Information Officer at Langs Building Supplies, said at the time: “Since we plan for these failures, this threat was reduced to a minor inconvenience. The next day, it was like nothing happened.”

When defending against ransomware, as with cyber security more generally, there’s no silver bullet. Attackers are continuously honing their craft, updating malware variants to evade detection and creating more sophisticated phishing campaigns to fool employees into executing payloads.

The best strategy against these attacks – and one recommended by the Australian Cyber Security Centre and Australian Signals Directorate every time another ransomware variant hits the headlines – is to maintain frequent back ups to restore operations from a point in time before the infection.

In 2017 and 18 we saw WannaCry and NotPetya sweep the globe. Last year ransomware attacks took hospitals across Victoria offline. This year, Toll was crippled and 2020 became the year we accepted ransomware was the new normal. Every company must accept this new status quo and establish a ransomware remediation framework to be better prepared ahead of a breach.

Jamie Humphrey is Country Manager and GM A/NZ at Rubrik, the multi-cloud data control company