Toll Group hacked once more, suffers Nefilim ransomware attack

Nefilim ransomware infects the networks of logistics giant

Toll Group hit by Nefilim ransomware

Toll Group hit by Nefilim ransomware

Toll Group, a subsidiary of Japan Post Holdings and one of the largest logistics companies worldwide, has suffered a second hack this year – this time, by Nefilim ransomware gang. After detecting some unusual activity on its internal servers early this week, the company shut down the IT systems to prevent further compromise. Due to the attack, Toll Group said in its announcement, that some of the operations would be performed manually to prevent service disruptions to its customers:

Toll’s priority is the safety and security of our customers, employees and vendor partners and, to that end, we have business continuity plans and manual processes in place to keep services moving while we work to resolve the issue. We expect these arrangements to continue for the remainder of the week.

The previous incident occurred on the last day of January 2020, when Toll was hit by Mailto ransomware, witch managed to infect as many as 1,000 servers and disrupt Active Directory systems and customer-facing applications within the company. Track and trace on delivery and other functions had to be disabled for a prolonged period of time, although the company managed to regain its operations fully with the help of forensic investigators and other parties by mid-March.[1]

In its announcement, Toll Group said that the Nefilim incident is a separate occurrence, and has nothing to do with the Mailto ransomware attack. The logistics company is now trying to resolve the situation as soon as possible.

Toll Group refuses to pay ransom

Toll Group is based in Australia, so it is closely working with the Australian Cyber Security Centre (ACSC) and other parties in order to tackle the incident. It is highly likely that the previous incident with Mailto served as a good practice for the recovery procedures, and it is likely not to take as long as previously. While the company acknowledged that it was hit by Nefilim, under no circumstances, it will agree to pay the ransom, as noted in the announcement on May 5.[2]

Nefilim ransomware[3] originated from Nemty, which was shut down by the same operators last month.[4] With this new strain, threat actors are hoping to be successful within the illegal crypto-malware business and establish itself as one of the major players, along with Maze, Sodinokibi, and many others. Considering this, it is not surprising that actors went for such a high-profile target like Toll Group.

After infecting company networks, major ransomware strains, including Nefilim, usually attempt to harvest and then disclose sensitive information to make victims pay the demanded ransom. However, Toll Group said, “there is no evidence at this stage to suggest that any data has been extracted from our network.”

Company already regaining its operations, restoring files

As no surprise, Toll Group is experiencing disruptions in its service, and several operations are now performed manually. Company Tweeted on Wednesday that it had to temperately shut down the “MyToll” customer service website as a precautionary measure. As a result, customers are unable to divert shipments to another collection point.[5]

Toll Group explained that it is trying to work around the situation:

At this stage, freight shipments are largely unaffected and parcel deliveries are running essentially to schedule based on normal pick-up and delivery processes. Parcel tracking and tracing through the MyToll portal remains offline. We are prioritising the movement of essential items, including medical and healthcare supplies into the national stockpile for COVID-19 requirements. This includes running charter flights from China.

However, some good news is that Toll is already remediating its servers from the ransomware infection, rebuilding core functions, and recovering files from backups.

It is yet unclear how the malware managed to get into the company’s network, although it is known that Nefilim ransomware affiliates (malware is operated as a ransomware-as-a-service) are often using weakly protected Remote Desktop connections to reach their targets.