Freight delivery giant Toll Group is battling to fully restore its services after a crippling cyber attack, which security experts say is the most significant in Australian corporate history.
Growing discontent from major clients including Telstra, Officeworks, and Footlocker has added commercial pressure to what is already a complex and costly recovery effort. Customers have reported significant delays in deliveries, lost shipments, and an inability to track consignments through Toll's systems. The attack, which forced Toll to shut down its IT systems across multiple business units, has laid bare the devastating operational impact that ransomware can inflict on a logistics company operating at scale.
Jonathan Sharrock, a senior cyber security expert at Cyber Citadel, noted that the question of whether to pay a ransom is one that every organisation must now confront. He pointed to the example of the University of Maastricht in the Netherlands, which paid a ransom of EUR200,000 in Bitcoin after a ransomware attack in December 2019. "It's not great, but they paid it and now they're back to normal," Sharrock observed. "The reality is that in many cases, paying the ransom is the fastest route to restoring operations."
Sharrock explained that when a ransom is paid, the systems usually do come back online. The criminal organisations behind modern ransomware campaigns have a vested interest in honouring their end of the bargain. If word spreads that paying the ransom does not result in the restoration of data, future victims will be less inclined to pay — which undermines the entire business model. "These organisations act like businesses," Sharrock said. "They have a reputation to maintain. Some of them even provide what you might call good customer service — help desks, FAQs, even negotiation portals where victims can haggle over the price."
"It is not guaranteed, but if a company pays the ransom then systems usually do come back online. The organisations behind the attacks now act like businesses." — Jonathan Sharrock, Cyber Citadel
The observation that ransomware operators "act like businesses" with "good customer service" is a sobering reflection of how professionalised cybercrime has become. Modern ransomware groups operate with organisational structures, division of labour, and customer-facing processes that mirror legitimate enterprises. They invest in the reliability of their decryption tools because their revenue depends on it. This does not, of course, make paying a ransom risk-free. There is never a guarantee that the decryption key will work perfectly, that all data will be recovered, or that the attackers will not retain a copy of stolen data for future leverage.
For Toll Group, the attack served as a wake-up call not just for the company itself, but for the entire Australian logistics industry. The incident demonstrated that even large, well-established organisations with significant IT resources can be brought to their knees by a well-executed ransomware campaign. The commercial fallout — lost customers, damaged reputation, and the enormous cost of recovery — extends far beyond the immediate technical impact of the attack itself.
The lesson for logistics companies is clear: ransomware preparedness must be a core component of business continuity planning. This means investing in robust backup systems, implementing network segmentation to contain the spread of an infection, conducting regular penetration testing to identify vulnerabilities, and developing and rehearsing incident response plans. The cost of prevention is a fraction of the cost of recovery.
Published in Financial Review — 17 February 2020.