Abstract

Cybersecurity threats are significant concerns for the business and stakeholders as data is at risk. Recently, Toll Group has faced a cybersecurity threat twice in three months, and it has warned the industry to review its security practices. This report discusses how the organization met the issue and the primary process for conducting the attack. It will emphasize the procedure used to perform the attack and the signature of the attack that others should consider in the industry to develop cyber resilience. The report will evaluate the consequences of the attack on the business and identify how similar consequences can be prevented or mitigated in other organizations for such cyber attacks.

Literature Review

Organizations are increasingly focusing on data security as it helps them retain competitive advantages through data-driven decisions. On the other side, cyber security threats are becoming more sophisticated to bypass the existing security measures in many organizations. In 2022, ransomware targeted Toll Group for ransom and data leakage.

Toll Group is a subsidiary of Japan Post Holding in Australia. The organization operations in transportation, warehousing and logistics. It has three divisions of services: Global Forwarding, Global express and interstate parcel express company (Toll-Group, 2023). These divisions generated a combined revenue of $7.6 billion in 2022 and out of this, $3.3 million was generated from Global logistics. The organization performed significantly in projects contracted with Singapore and the Australian government (Toll, 2023). In 2020, the organization experienced a record-breaking loss of $7.8 billion. Toll Group has more than 40,000 transportation and supply chain employees in more than 50 countries (Toll, 2023).

In May 2020, the organization faced significant operational interruptions due to a ransomware attack. It was the second time in three months, and it enforced the organization for suspension of information technology systems. On a Monday, the organization observed some unusual activities on some servers and then shut them down. It resulted in disruptions and delays in the customer service experience (Schwarz et al., 2021). It enforced the organization to bring booking pickups and shipments offline for a time while there was largely no impact on parcel deliveries (Cheung et al., 2021).

Nefilim ransomware has impacted organizational functions and information systems. This ransomware encrypts the files using the AES-128 encryption technique and protects them with the RSA2048 algorithm. All the files are then renamed for the Nefilim extension (Groenewegen et al., 2020). The signature of this ransomware is similar to the Namty ransomware family. In this attack, Tor payment sites are not used for ransom, but malicious software uses email communication for payment. A report indicated that the organization had lost around 200 GB of business data and consumers experienced poor customer service. In subsequent months, several other organizations were impacted by the same ransomware. In recent versions of the ransomware, Nefilim is identified to have MILIHPEN and DERZKO extension to files and ransom notes are dropped in files such as MILIHPEN-INSTRUCT.txt and DERZKO-HELP.txt respectively (Reshmi, 2021).

This ransomware has targeted public-facing applications to get initial access. The organizations having poorly secure and unpatched Citrix remote access technology were on target. The attackers tried to threaten the organizations to release data to the public if they fail to pay a certain amount in a certain time (SISA, 2021). In the case of Toll Group and others, it is identified that the attack vector is related to remote desktop access. Compared to other similar ransomware, such as Namty 2.5, it has not used Toy payments and preferred email communication for ransom. Also, there is no execution of ransomware-as-a-service on the target systems (Soares et al., 2020).

Exposure to remote desktop access is a major cause of this ransomware attack in the organization. However, several other techniques are used to reach the target information technology systems. For instance, spam emails, free software, point-to-point file sharing, torrent websites and malicious websites are used to expand the ransomware to target computers. Once the malicious code is delivered on the target device, the malware interacts with the national operating system API to execute the behaviours (Mane, 2021). For example, if the remote desktop protocol is compromised, the attacker attempts to download the malicious file on the system. This malicious file later downloads the RAR archive from the VPS-hosted server. After a few hours, again one more RAR file is downloaded from a remote server and this file contains several files such as a ransomware file, a batch file to stop or kill the processes on the system, a Psexec.exe file to execute the commands, another batch file containing copy command to distribute the batch file and kill or stop the processes on other systems and other batch files that are used to access the server remotely (Soares et al., 2020).

Once the files are downloaded on the system, the attacker combines the batch files to ensure that copy command is used to distribute the batch files to kill or stop the processes on other servers. Psexec.exe is used to steal the administrator credentials so that remote execution can be made possible. Once the attacker launches the attack, the ransomware encrypts the files on the host. Then the required extension, ransom notes and attackers' email addresses are provided to process further for a ransom amount (SISA, 2021).

The threat actor is not identified for the attack, but it is identified that the attacker has the main purpose of stealing the data and threatening the organization for ransom. Cyber-kill chain is a significant framework for identifying and preventing the attack (Yadav and Rao, 2015). According to this framework and its action on the objective stage, it is identified that the attack is conducted for financial gain, destruction of data and intrusion into another system. The attack resulted in a loss of 200 GB of data to the business, while the impact on customer service experience and operations is added to this (Ahmed, 2020).

Evaluation

Cybersecurity attacks may have a direct and indirect impact on organizations. As a direct impact, the organization may not be able to access critical and sensitive data, and routine operations may be impacted. Indirectly, an attack can impact the organization for legal complications and damage to reputation among the stakeholders. In the context of Toll Group, the consequences of the cyberattacks are identified as follows:

Extend and Cost of the Breach

The organization has not disclosed the consequence of the attack in terms of the cost. However, the attack was recognized through some unusual activities on some servers, and then the systems were put offline to avoid further expansion. Before putting the systems down, the attack impacted several servers. However, significant expansion and cost are prevented through right-time action (Groenewegen et al., 2020). Asides from this, the ransomware has deep extension into systems because it is not the first time; the organization has experienced a ransomware attack for the second time in three months. It means some weaknesses in security mechanisms allow attackers to regain access to servers.

Laws Broken

According to the Australian Cyber Security Centre, organizations and individuals should not pay ransom to cybercriminals. In certain cases, it is considered illegal. Several regulations come into action when paying the ransom or interacting with cybercriminals to exchange information. For example, the Criminal code act 1995 codifies the general principles regarding criminal accountability under the laws of the Commonwealth (Kost, 2023). This act helps identify whether a particular incident and its initialization from the organization keeps the organization in crime boundaries.

Similarly, there is an act for counter-terrorism and anti-money laundering, which help to detect and deter terrorism financing and money laundering activities. If the organization pays the amount, indirectly, it is breaking the law. In the case of Toll Group, it is identified that there is a breach of data privacy act as the attacker has compromised the data security and privacy.

Damage to Reputation

Cyber attack has impacted the organization for the reputation. It impacts the business for cash inflow through a direct impact on the interest of the shareholders and investors. Customers experienced delays in services, and it encouraged them to find alternative services in the market. Similarly, it also threatened the customers to submit their personally identifiable information (Shafqat and Masood, 2016). There is damage to reputation regarding security practices, operational activities and organizational behaviour toward cybercriminals.

Financial Penalties

In the current case, Toll Group has not issued financial penalties to the information commissioner officer for their weaknesses in the system. Still, it is required to handle with precautions in future. If the consequences continue in future, there is a high possibility that the organization may have some penalties and legal complications in cybersecurity breaches.

Apart from these losses and damage, the organization faced significant business operations and service interruptions. Here is an evaluation of the organizational practices in security for their strengths and weaknesses regarding the cyberattack.

Security Processes

The organization has a strong set of information technology professionals and uses adequate security procedures throughout its operations. However, there is a comprehensive regular audit of the systems, so the attacker can access the remote desktop protocol. It indicates that some open ports might not be closed after usage, and attackers access these to target the servers. Similarly, there is a lack of network-level authentication for remote desktop access, so the attackers were not identified when they initiated server requests and obtained a portion of data (Reshmi, 2021).

The users may have accessed malicious websites and downloaded content such as free software. An inadequate user access control and role management in the network infrastructure allow the users to access the resources outside their scope and role and enable them to execute the codes on their system. It indicates that the organization may not be using a well-configured firewall system, and there is uncontrolled security considering the access domain of the users.

Technologies

The organization can use ransomware protection systems from major vendors such as IBM. Such products use artificial intelligence for proactive threat detection and suppose quicker recovery. The software can be used for threat detection, response, backup, and recovery. Asides from this, the lack of zero trust adoption, risk management services and end-point security are major causes of cybersecurity threats (IBM, 2023).

Training

The nature of the incident helps to understand that the employees are at the core of inviting the attackers into the network system. They may have used malicious websites to download malicious code. Alternative to this, they may have opened phishing emails and links. It indicates that there is a need for training in the resources to use the internet services wisely and ensure the protection of data, applications and systems (He and Zhang, 2019). Training regarding cyber resilience and awareness is important to ensure how individuals interact in the network and manage the information. Training for immediate action, reporting the incident to management and fostering knowledge sharing is critical to prevent cybersecurity threats.

Experience and Awareness

It is the second time when ransomware has attacked again and disrupted operations. It indicates that the organizational team lacks the skills and experience to manage the systems and network services, and therefore, they cannot address the problem's source. It makes the network more vulnerable as attackers can again strike with more sophisticated attacks and approaches. Therefore, people's experience in cybersecurity practice is an important concern. Aside from this, employees lack awareness of cybersecurity attacks, post-attack actions, and data protection policies and procedures (He and Zhang, 2019). Lack of awareness leads them to download malicious code and open emails and attachments from unknown sources.

Recommendations and Conclusions

Ransomware attack on Toll Group leaves lesson of others. The following are major recommendations to mitigate the Nefilim ransomware attack:

  1. Organizations must ensure that remote desktop protocol is not open to the internet. It means they can close their TCP port 3389 on hosts and servers if they are not using RDP services.
  2. It is recommended to enable network-level authentication for remote desktop access. In certain cases, malicious code at hosts may capture the credentials from the hosts and transfer them to the attacker. In such cases, network-level authentication helps to identify the attackers and prevent them from connecting with the target system (Groenewegen et al., 2020).
  3. Security devices may have some indicators of compromise. Such indicators are required to block and prevent further appearance. It is recommended to resolve the indicators of compromise on priority and enable an extended set of security in network infrastructure.
  4. Security patches are a major cause of ransomware attacks. Nefilim may impact an organization if the operating system and its application programming interfaces have some known security issues. Security patches of application software are also significant in mitigating the risk of ransomware (Mane, 2021).
  5. In certain cases, attackers use email services to transfer malicious code. It is strongly recommended not to open the email and attachments when the sender is unknown.
  6. Organizations should be aware of the employee's use of software from authorized sources. It means using licensed software and avoiding the use of crack and illegal software in routine operations.

Asides from these recommendations for Nefilim ransomware protection, several other recommendations can help the organization protect against other variants of a ransomware attack:

  1. Organizations need to ensure that data is properly backup as it is the easiest approach for risk mitigation. If the organization cannot access the systems due to encryption and data loss, then the backup will help them regain access to data.
  2. It is important to ensure that all the software and systems are updated. It also means installing antivirus software and firewall services so that the devices and network can be protected against unknown traffic on the internet (Schwarz et al., 2021).
  3. Network segmentation can help to classify the systems with critical and sensitive information and routine data. It also helps to prevent the further expansion of the ransomware from one segment to another. During risk management and post-incident actions, network segmentation helps to isolate the infected systems from the network (Reshmi, 2021).
  4. User access and permissions are required on the systems. It can help the organization prevent the users from installing software and using the services and features outside their role and access. For instance, if a user cannot access remote desktop services, there is a limited possibility that Nefilim can affect the system.
  5. Security awareness training and end-point security are also important. Organizations should invest efforts and capital in security enforcement. Suitable training and awareness programs can be organized for the employees so that they can contribute to security management. Similarly, end-point protection can limit the doors for ransomware and other cybersecurity threats (Coden et al., 2023).

In 2021, the UK recorded 400,000 reports of cybercrime and fraud, and businesses registered 60,111 reports. Around 80% of organizations also experienced a cyberattack in 2021-22. In the past 12 months, 73% of organizations in the country have experienced some kind of ransomware attack. However, there is no significant improvement in the security budget as it stays at 13% as in previous years. Of these attacks, 43% were stopped before ransomware encrypted and damaged the data (O’Driscoll, 2023). From an economic perspective, $1.08 million are spent as ransom to deal with ransomware attacks.

References

Ahmed, D., 2020. Dark Web hackers publish 200GB of Toll Group’s stolen corporate data. Retrieved from: https://www.hackread.com/dark-web-hackers-leak-200gb-toll-group-stolen-corporate-data/. Accessed On: 31 Match 2023.

Cheung, K.F., Bell, M.G. and Bhattacharjya, J., 2021. Cybersecurity in logistics and supply chain management: An overview and future research directions. Transportation Research Part E: Logistics and Transportation Review, 146, p.102217.

Coden, M., Reeves, M., Pearlson, K., Madnick, S. and Berriman, C., 2023. An Action Plan for Cyber Resilience. MIT Sloan Management Review, 64(2), pp.1-6.

Groenewegen, A., Alqabandi, M., Elamin, M. and Paardekooper, P., 2020. A behavioral analysis of the ransomware strain nefilim.

He, W. and Zhang, Z., 2019. Enterprise cybersecurity training and awareness programs: Recommendations for success. Journal of Organizational Computing and Electronic Commerce, 29(4), pp.249-257.

IBM, 2023. Ransomware protection. Retrieved from: https://www.ibm.com/ransomware. Accessed On: 31 Match 2023

Kost, E., 2023. Should Australian Businesses Pay Ransoms to Cybercriminals? Retrieved from: https://www.upguard.com/blog/should-australian-businesses-pay-ransoms-to-cybercriminals. Accessed On: 31 Match 2023.

Mane, B., 2021. Nefilim Ransomware. Retrieved from: https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware. Accessed On: 31 Match 2023.

O’Driscoll, A., 2023. UK cyber security and cyber crime statistics (2023). Retrieved from: https://www.comparitech.com/blog/information-security/uk-cyber-security-statistics/. Accessed On: 31 Match 2023.

Reshmi, T.R., 2021. Information security breaches due to ransomware attacks-a systematic literature review. International Journal of Information Management Data Insights, 1(2), p.100013.

Schwarz, M., Marx, M. and Federrath, H., 2021. A structured analysis of information security incidents in the maritime sector. arXiv preprint arXiv:2112.06545.

Shafqat, N. and Masood, A., 2016. Comparative analysis of various national cyber security strategies. International Journal of Computer Science and Information Security, 14(1), pp.129-136.

SISA, 2021. Nefilim ransomware. Retrieved from: https://www.sisainfosec.com/blogs/nefilim-ransomware. Accessed On: 31 Match 2023.

Soares, J., Mendoza, E., and Yaneza, J., 2020. Investigation into a Nefilim Attack Shows Signs of Lateral Movement, Possible Data Exfiltration. Retrieved from: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/investigation-into-a-nefilim-attack-shows-signs-of-lateral-movement-possible-data-exfiltration. Accessed On: 31 Match 2023.

Toll Group, 2023. About us. Retrieved from: https://www.tollgroup.com/about. Accessed On: 31 Match 2023.

Toll, 2023. Toll Group delivers strong performance in financial year 2022. Retrieved from: https://www.tollgroup.com/toll-group-delivers-strong-performance-financial-year-2022. Accessed On: 31 Match 2023.

Yadav, T. and Rao, A.M., 2015. Technical aspects of cyber kill chain. In Security in Computing and Communications: Third International Symposium, SSCC 2015, Kochi, India, August 10-13, 2015. Proceedings 3 (pp. 438-452). Springer International Publishing.

You May Also Like:

Computer Science Homework Help

Computer Science Dissertation Example- Tool to Write Perfect Dissertations!

 

Get It Done! Today

Country
Applicable Time Zone is AEST [Sydney, NSW] (GMT+11)
+
  • 1,212,718Orders

  • 4.9/5Rating

  • 5,063Experts

Highlights

  • 21 Step Quality Check
  • 2000+ Ph.D Experts
  • Live Expert Sessions
  • Dedicated App
  • Earn while you Learn with us
  • Confidentiality Agreement
  • Money Back Guarantee
  • Customer Feedback

Just Pay for your Assignment

  • Turnitin Report

    $10.00
  • Proofreading and Editing

    $9.00Per Page
  • Consultation with Expert

    $35.00Per Hour
  • Live Session 1-on-1

    $40.00Per 30 min.
  • Quality Check

    $25.00
  • Total

    Free
  • Let's Start

Browse across 1 Million Assignment Samples for Free

Explore MASS

Customer Feedback

Check out what our Student community has to say about us.

Read More

Request Callback

My Assignment Services- Whatsapp Get 50% + 20% EXTRAAADiscount on WhatsApp

Need Assistance on your
existing assignment order?
refresh