The attack continues to cause delays and disruption, with Toll's online portal offline, causing disruption to the Melbourne-based company's operations in around 50 countries - including New Zealand, Hong Kong and China, where it already faces challenges from the coronavirus outbreak.
Ransomware attackers typically seize customer data or encrypt it during a cyber-attack, then demand money for its return.
A blackmail twist - which has recently hit five law firms - sees the attackers threaten to publish sensitive customer data.
January 8 saw currency exchange firm and Air New Zealand partner Travelex knocked offline after a ransomware attack, during which five gigabytes of customer data was stolen, including dates of birth and credit card information.
The BBC reported a US$6million ransom demand as Travelex resorted to pen-and-paper.
Travelex went back online on January 28. Reuters quoted the company saying it had not paid any ransom.
Toll did not immediately respond to questions about how much money had been demanded.
Police advise individuals and organisations not to pay up if hit by ransomware. They say there is no guarantee that data will be returned, and that funds often go to organised criminals who are also involved in hardcore offending in other areas such as drugs and human trafficking.
But when the Wannacry ransomware attack hit multiple countries in 2017, NZ lawyer Michael Wigley said those hit should consider paying up.
Data was returned in some instances, and paying up could be the pragmatic thing to do if a relatively small demand was involved, Wigley said.
CERT NZ boss Rob Pope recommends not paying a ransom. Photo / Supplied
He also maintained that giving in could even be the principled path.
"Sometimes paying out could even answer a legal duty. Say 'A' has a duty to protect 'B''s information, such as under a contract or some other duty and a ransom leads to a breach of that duty," he told this reporter.
"The ransomed 'company A' has a duty to mitigate loss and one way to do that could be to pay out on the ransom."
Days of delays
On Friday, Toll said it had taken a number of (un-named) systems offline as a precaution after a "suspected cyber attack."
An updated message on Monday read, "Toll Global Express New Zealand has lost use and access to its email exchange."
A warning beside a log-on screen for Toll's online portal read, "Toll Group is currently experiencing a suspected cyber attack." Customers were asked to confirm bookings by phone.
The message added: "We would ask that you hold any non-essential freight movements for today."
Last night, the Toll spokesman clarified, "As a result of our decision to disable certain systems following a recent cyber security threat, we're continuing to meet the needs of many of our customers through a combination of manual and automated processes across our global operations, although some are experiencing delay or disruption.
"For our parcels customers, all of our processing centres are continuing to operate including pick up, processing and dispatch albeit at reduced speed in some cases.
"While the online booking platform has been temporarily disabled, parcels customers can book deliveries by calling our contact centres."
Toll was "working around the clock" on fixes, the spokesman said.
The company had also "referred the matter to the appropriate bodies for criminal investigation."
What to do if you're hit by ransomware
New Zealand businesses or individuals hit by a cyber-attack are advised to contact Crown agency CERT (the Computer Emergency Response Team) as their first step.
CERT acts as a triage unit, pointing people to the right law enforcement agency or technical contacts.
CERT director Rob Pope declined to comment on whether his agency had been approached by Toll.
"Because of the sensitive nature of the reports made to CERT NZ, we never confirm or deny our involvement with any particular incident," he said.
