• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Mailto Ransomware Takes a Toll on Shipping Company

February 7, 2020 By Corey Nachreiner

On February 3, Toll Group, an Australian transportation and logistics company, shut down its IT systems as a result of a “cyber security incident.” The organization reported shortly thereafter that multiple sites and business units had been targeted with ransomware attacks. The Mailto or Kazkavkovkiz ransomware affecting Toll Group is very similar to the many variants of targeted ransomware that sophisticated cyber criminals have launched against companies that rely on technology to deliver time-sensitive, critical services or products.

By strategically targeting industries that cannot operate well with any downtime, these criminals maximize the odds that their victims will pay the ransom to recover their services. Healthcare organizations, state and local government, industrial control systems, and now shipping companies represent ripe targets for these focused ransomware campaigns.

In many cases, the ransomware used in these types of attacks is effective, but not particularly unusual compared to other variants. Proactive, advanced malware prevention solutions that use machine learning or behavioral analysis to catch new threats often detect and block these samples if delivered through the security service. For instance, WatchGuard’s APT Blocker service does detect all the variants of this particular Mailto ransomware that we’ve tested.

However, the sophisticated threat actors launching many of these targeted attacks seem to be breaching networks using presumably stolen, privileged user credentials before loading any ransomware. In that case, they use this privileged access along with legitimate internal management tools to disable and bypass security controls in order to install the ransomware.

The general public still doesn’t know exactly how Toll’s attackers got the ransomware into their system, but if it’s similar to other targeted attacks we’ve seen globally, the best way to protect your organization, and any remote services you use, is to use secure authentication best practices and a multi-factor authentication solution like AuthPoint, along with advanced behavior-based anti-malware services. Toll won’t be the last victim of this type of targeted ransomware attack this year, so now is the best time to shore up your defenses.

—Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Editorial Articles Tagged With: ransomware

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • CISA Warns of Weaponized RMM Software
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Report Roundup
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use