Cybersecurity threats are significant concerns for the business and stakeholders as data is at risk. Recently, Toll Group has faced a cybersecurity threat twice in three months, and it has warned the industry to review its security practices. This report discusses how the organization met the issue and the primary process for conducting the attack. It will emphasize the procedure used to perform the attack and the signature of the attack that others should consider in the industry to develop cyber resilience. The report will evaluate the consequences of the attack on the business and identify how similar consequences can be prevented or mitigated in other organizations for such cyber attacks.
Organizations are increasingly focusing on data security as it helps them retain competitive advantages through data-driven decisions. On the other side, cyber security threats are becoming more sophisticated to bypass the existing security measures in many organizations. In 2022, ransomware targeted Toll Group for ransom and data leakage.
Toll Group is a subsidiary of Japan Post Holding in Australia. The organization operations in transportation, warehousing and logistics. It has three divisions of services: Global Forwarding, Global express and interstate parcel express company (Toll-Group, 2023). These divisions generated a combined revenue of $7.6 billion in 2022 and out of this, $3.3 million was generated from Global logistics. The organization performed significantly in projects contracted with Singapore and the Australian government (Toll, 2023). In 2020, the organization experienced a record-breaking loss of $7.8 billion. Toll Group has more than 40,000 transportation and supply chain employees in more than 50 countries (Toll, 2023).
In May 2020, the organization faced significant operational interruptions due to a ransomware attack. It was the second time in three months, and it enforced the organization for suspension of information technology systems. On a Monday, the organization observed some unusual activities on some servers and then shut them down. It resulted in disruptions and delays in the customer service experience (Schwarz et al., 2021). It enforced the organization to bring booking pickups and shipments offline for a time while there was largely no impact on parcel deliveries (Cheung et al., 2021).
Nefilim ransomware has impacted organizational functions and information systems. This ransomware encrypts the files using the AES-128 encryption technique and protects them with the RSA2048 algorithm. All the files are then renamed for the Nefilim extension (Groenewegen et al., 2020). The signature of this ransomware is similar to the Namty ransomware family. In this attack, Tor payment sites are not used for ransom, but malicious software uses email communication for payment. A report indicated that the organization had lost around 200 GB of business data and consumers experienced poor customer service. In subsequent months, several other organizations were impacted by the same ransomware. In recent versions of the ransomware, Nefilim is identified to have MILIHPEN and DERZKO extension to files and ransom notes are dropped in files such as MILIHPEN-INSTRUCT.txt and DERZKO-HELP.txt respectively (Reshmi, 2021).
This ransomware has targeted public-facing applications to get initial access. The organizations having poorly secure and unpatched Citrix remote access technology were on target. The attackers tried to threaten the organizations to release data to the public if they fail to pay a certain amount in a certain time (SISA, 2021). In the case of Toll Group and others, it is identified that the attack vector is related to remote desktop access. Compared to other similar ransomware, such as Namty 2.5, it has not used Toy payments and preferred email communication for ransom. Also, there is no execution of ransomware-as-a-service on the target systems (Soares et al., 2020).
Exposure to remote desktop access is a major cause of this ransomware attack in the organization. However, several other techniques are used to reach the target information technology systems. For instance, spam emails, free software, point-to-point file sharing, torrent websites and malicious websites are used to expand the ransomware to target computers. Once the malicious code is delivered on the target device, the malware interacts with the national operating system API to execute the behaviours (Mane, 2021). For example, if the remote desktop protocol is compromised, the attacker attempts to download the malicious file on the system. This malicious file later downloads the RAR archive from the VPS-hosted server. After a few hours, again one more RAR file is downloaded from a remote server and this file contains several files such as a ransomware file, a batch file to stop or kill the processes on the system, a Psexec.exe file to execute the commands, another batch file containing copy command to distribute the batch file and kill or stop the processes on other systems and other batch files that are used to access the server remotely (Soares et al., 2020).
Once the files are downloaded on the system, the attacker combines the batch files to ensure that copy command is used to distribute the batch files to kill or stop the processes on other servers. Psexec.exe is used to steal the administrator credentials so that remote execution can be made possible. Once the attacker launches the attack, the ransomware encrypts the files on the host. Then the required extension, ransom notes and attackers' email addresses are provided to process further for a ransom amount (SISA, 2021).
The threat actor is not identified for the attack, but it is identified that the attacker has the main purpose of stealing the data and threatening the organization for ransom. Cyber-kill chain is a significant framework for identifying and preventing the attack (Yadav and Rao, 2015). According to this framework and its action on the objective stage, it is identified that the attack is conducted for financial gain, destruction of data and intrusion into another system. The attack resulted in a loss of 200 GB of data to the business, while the impact on customer service experience and operations is added to this (Ahmed, 2020).
Cybersecurity attacks may have a direct and indirect impact on organizations. As a direct impact, the organization may not be able to access critical and sensitive data, and routine operations may be impacted. Indirectly, an attack can impact the organization for legal complications and damage to reputation among the stakeholders. In the context of Toll Group, the consequences of the cyberattacks are identified as follows:
The organization has not disclosed the consequence of the attack in terms of the cost. However, the attack was recognized through some unusual activities on some servers, and then the systems were put offline to avoid further expansion. Before putting the systems down, the attack impacted several servers. However, significant expansion and cost are prevented through right-time action (Groenewegen et al., 2020). Asides from this, the ransomware has deep extension into systems because it is not the first time; the organization has experienced a ransomware attack for the second time in three months. It means some weaknesses in security mechanisms allow attackers to regain access to servers.
According to the Australian Cyber Security Centre, organizations and individuals should not pay ransom to cybercriminals. In certain cases, it is considered illegal. Several regulations come into action when paying the ransom or interacting with cybercriminals to exchange information. For example, the Criminal code act 1995 codifies the general principles regarding criminal accountability under the laws of the Commonwealth (Kost, 2023). This act helps identify whether a particular incident and its initialization from the organization keeps the organization in crime boundaries.
Similarly, there is an act for counter-terrorism and anti-money laundering, which help to detect and deter terrorism financing and money laundering activities. If the organization pays the amount, indirectly, it is breaking the law. In the case of Toll Group, it is identified that there is a breach of data privacy act as the attacker has compromised the data security and privacy.
Cyber attack has impacted the organization for the reputation. It impacts the business for cash inflow through a direct impact on the interest of the shareholders and investors. Customers experienced delays in services, and it encouraged them to find alternative services in the market. Similarly, it also threatened the customers to submit their personally identifiable information (Shafqat and Masood, 2016). There is damage to reputation regarding security practices, operational activities and organizational behaviour toward cybercriminals.
In the current case, Toll Group has not issued financial penalties to the information commissioner officer for their weaknesses in the system. Still, it is required to handle with precautions in future. If the consequences continue in future, there is a high possibility that the organization may have some penalties and legal complications in cybersecurity breaches.
Apart from these losses and damage, the organization faced significant business operations and service interruptions. Here is an evaluation of the organizational practices in security for their strengths and weaknesses regarding the cyberattack.
The organization has a strong set of information technology professionals and uses adequate security procedures throughout its operations. However, there is a comprehensive regular audit of the systems, so the attacker can access the remote desktop protocol. It indicates that some open ports might not be closed after usage, and attackers access these to target the servers. Similarly, there is a lack of network-level authentication for remote desktop access, so the attackers were not identified when they initiated server requests and obtained a portion of data (Reshmi, 2021).
The users may have accessed malicious websites and downloaded content such as free software. An inadequate user access control and role management in the network infrastructure allow the users to access the resources outside their scope and role and enable them to execute the codes on their system. It indicates that the organization may not be using a well-configured firewall system, and there is uncontrolled security considering the access domain of the users.
The organization can use ransomware protection systems from major vendors such as IBM. Such products use artificial intelligence for proactive threat detection and suppose quicker recovery. The software can be used for threat detection, response, backup, and recovery. Asides from this, the lack of zero trust adoption, risk management services and end-point security are major causes of cybersecurity threats (IBM, 2023).
The nature of the incident helps to understand that the employees are at the core of inviting the attackers into the network system. They may have used malicious websites to download malicious code. Alternative to this, they may have opened phishing emails and links. It indicates that there is a need for training in the resources to use the internet services wisely and ensure the protection of data, applications and systems (He and Zhang, 2019). Training regarding cyber resilience and awareness is important to ensure how individuals interact in the network and manage the information. Training for immediate action, reporting the incident to management and fostering knowledge sharing is critical to prevent cybersecurity threats.
It is the second time when ransomware has attacked again and disrupted operations. It indicates that the organizational team lacks the skills and experience to manage the systems and network services, and therefore, they cannot address the problem's source. It makes the network more vulnerable as attackers can again strike with more sophisticated attacks and approaches. Therefore, people's experience in cybersecurity practice is an important concern. Aside from this, employees lack awareness of cybersecurity attacks, post-attack actions, and data protection policies and procedures (He and Zhang, 2019). Lack of awareness leads them to download malicious code and open emails and attachments from unknown sources.
Ransomware attack on Toll Group leaves lesson of others. The following are major recommendations to mitigate the Nefilim ransomware attack:
Asides from these recommendations for Nefilim ransomware protection, several other recommendations can help the organization protect against other variants of a ransomware attack:
In 2021, the UK recorded 400,000 reports of cybercrime and fraud, and businesses registered 60,111 reports. Around 80% of organizations also experienced a cyberattack in 2021-22. In the past 12 months, 73% of organizations in the country have experienced some kind of ransomware attack. However, there is no significant improvement in the security budget as it stays at 13% as in previous years. Of these attacks, 43% were stopped before ransomware encrypted and damaged the data (O’Driscoll, 2023). From an economic perspective, $1.08 million are spent as ransom to deal with ransomware attacks.
Ahmed, D., 2020. Dark Web hackers publish 200GB of Toll Group’s stolen corporate data. Retrieved from: https://www.hackread.com/dark-web-hackers-leak-200gb-toll-group-stolen-corporate-data/. Accessed On: 31 Match 2023.
Cheung, K.F., Bell, M.G. and Bhattacharjya, J., 2021. Cybersecurity in logistics and supply chain management: An overview and future research directions. Transportation Research Part E: Logistics and Transportation Review, 146, p.102217.
Coden, M., Reeves, M., Pearlson, K., Madnick, S. and Berriman, C., 2023. An Action Plan for Cyber Resilience. MIT Sloan Management Review, 64(2), pp.1-6.
Groenewegen, A., Alqabandi, M., Elamin, M. and Paardekooper, P., 2020. A behavioral analysis of the ransomware strain nefilim.
He, W. and Zhang, Z., 2019. Enterprise cybersecurity training and awareness programs: Recommendations for success. Journal of Organizational Computing and Electronic Commerce, 29(4), pp.249-257.
IBM, 2023. Ransomware protection. Retrieved from: https://www.ibm.com/ransomware. Accessed On: 31 Match 2023
Kost, E., 2023. Should Australian Businesses Pay Ransoms to Cybercriminals? Retrieved from: https://www.upguard.com/blog/should-australian-businesses-pay-ransoms-to-cybercriminals. Accessed On: 31 Match 2023.
Mane, B., 2021. Nefilim Ransomware. Retrieved from: https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware. Accessed On: 31 Match 2023.
O’Driscoll, A., 2023. UK cyber security and cyber crime statistics (2023). Retrieved from: https://www.comparitech.com/blog/information-security/uk-cyber-security-statistics/. Accessed On: 31 Match 2023.
Reshmi, T.R., 2021. Information security breaches due to ransomware attacks-a systematic literature review. International Journal of Information Management Data Insights, 1(2), p.100013.
Schwarz, M., Marx, M. and Federrath, H., 2021. A structured analysis of information security incidents in the maritime sector. arXiv preprint arXiv:2112.06545.
Shafqat, N. and Masood, A., 2016. Comparative analysis of various national cyber security strategies. International Journal of Computer Science and Information Security, 14(1), pp.129-136.
SISA, 2021. Nefilim ransomware. Retrieved from: https://www.sisainfosec.com/blogs/nefilim-ransomware. Accessed On: 31 Match 2023.
Soares, J., Mendoza, E., and Yaneza, J., 2020. Investigation into a Nefilim Attack Shows Signs of Lateral Movement, Possible Data Exfiltration. Retrieved from: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/investigation-into-a-nefilim-attack-shows-signs-of-lateral-movement-possible-data-exfiltration. Accessed On: 31 Match 2023.
Toll Group, 2023. About us. Retrieved from: https://www.tollgroup.com/about. Accessed On: 31 Match 2023.
Toll, 2023. Toll Group delivers strong performance in financial year 2022. Retrieved from: https://www.tollgroup.com/toll-group-delivers-strong-performance-financial-year-2022. Accessed On: 31 Match 2023.
Yadav, T. and Rao, A.M., 2015. Technical aspects of cyber kill chain. In Security in Computing and Communications: Third International Symposium, SSCC 2015, Kochi, India, August 10-13, 2015. Proceedings 3 (pp. 438-452). Springer International Publishing.
You May Also Like:
Computer Science Homework Help
Computer Science Dissertation Example- Tool to Write Perfect Dissertations!
1,212,718Orders
4.9/5Rating
5,063Experts
Turnitin Report
$10.00Proofreading and Editing
$9.00Per PageConsultation with Expert
$35.00Per HourLive Session 1-on-1
$40.00Per 30 min.Quality Check
$25.00Total
FreeGet
500 Words Free
on your assignment today
Request Callback
Doing your Assignment with our resources is simple, take Expert assistance to ensure HD Grades. Here you Go....
🚨Don't Leave Empty-Handed!🚨
Snag a Sweet 70% OFF on Your Assignments! 📚💡
Grab it while it's hot!🔥
Claim Your DiscountHurry, Offer Expires Soon 🚀🚀