Ransomware Attack Takes Down Toll Group Systems, Again

toll group ransomware attack nefilim

Australian transportation company Toll Group has been hit by the Nefilim ransomware, causing customers to experience delays.

Australian transportation and logistics giant Toll Group has been hit by a ransomware attack – for the second time in three months. The company said a relatively new form of ransomware known as Nefilim had targeted its systems.

Toll Group, a subsidiary of Japan Post Holdings, is a freight and delivery service company operating across more than 1,200 locations in 50 countries. It’s often used by e-commerce giants like eBay to transport bulk commodities, critical spare parts and medical supplies.

The company on Monday shut down certain IT systems after detecting unusual activity on some of its servers, causing customers to experience delays and disruption. While freight shipments have been “largely unaffected” and parcel deliveries are running to schedule, the company’s MyToll portal, used for creating shipments and booking pickups, remains offline.

“As a result of investigations undertaken so far, we can confirm that this activity is the result of a ransomware attack,” according to a statement on Toll Group’s website. “This is unrelated to the ransomware incident we experienced earlier this year. Toll has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network.”


Nefilim was only recently discovered. According to researchers, it is most likely spread through Remote Desktop Protocol (RDP), similar to other ransomware families such as NemtyCrysis and SamSam.

“The actors behind Nefilim primarily gain access through vulnerable RDP servers, though there are unverified reports of them expanding their attack repertoire,” Allan Liska, threat intelligence analyst with Recorded Future, told Threatpost. “This is a pretty common development path for new ransomware actors: They start with open or vulnerable RDP servers and then expand to other attack methods.”

Researchers have also said Nefilim’s code shares striking similarities with the Nemty ransomware. However, there are some notable differences between the two: Unlike Nemty, Nefilim does not have a ransomware-as-a-service component, and researchers said there’s no evidence that the same threat actors are behind the two strains.

“Nefilim is a relatively new ransomware variant that shares a lot of code with the Nemty ransomware,” Liska said. “Since the group behind Nemty suspended public operations and switched to a private model, the thought is that Nefilim is either someone in that group or someone the group shared the code with.”

While new, the Nefilim ransomware appears to be hitting companies on all fronts this month. A Sky News report on Monday pointed to the ransomware operators targeting a Sri Lankan clothing manufacturer that produces lingerie for brands like Victoria’s Secret, Nike and Beyonce’s Ivy Park line. According to the report, the operators said they stole 300 GB of private files from the manufacturer, and reportedly posted some of the allegedly stolen documents online.

In fact, Liska pointed to Nefilim threatening to air out various victims’ data to the public if they fail to pay the ransom, on a “leaks” site called Corporate Leaks, which resides on a TOR node. This is an emerging ransomware tactic that researchers call double extortion.

“The Nefilim operators have also adopted the ‘name and shame’ tactic popularized by other ransomware groups such as Maze over the past few months,” Charles Ragland, security engineer at Digital Shadows told Threatpost. “By threatening to release data, cybercriminals can attempt to apply increased pressure on an organization, coercing them to pay ransom demands. This effectively constitutes a hybrid threat of both a ransomware attack and a data breach and is likely to continue being a popular tactic over the next few months.”

Ransomware Barrage

It’s the second ransomware attack for Toll Group this year: The company said on Feb. 3 that it was hit by ransomware, leaving customers reporting an impact on operations across Australia, India and the Philippines. Similar to this most recent incident, in the February ransomware attack various Toll Group customer-facing services were also reportedly debilitated, including the MyToll portal.

As was the case in the the last ransomware attack, customers expressed exasperation on Twitter during this second ransomware incident, complaining of communication issues and parcel tracking disruption due to MyToll being down.

“This is a serious incident that targets a very important part of the supply chain,” Fausto Oliveira, principal security architect at Acceptto, told Threatpost. “To perform an attack such as this during the Covid-19 epidemic is not only criminal, it shows a heightened degree of callousness and disregard for human life. The good news is that the containment process we saw the Toll Group use in the previous incident seems to be working and they have done their due diligence.”

In fact, Toll Group stressed that it is prioritizing the movement of essential items, including medical and healthcare supplies, in the midst of the ongoing coronavirus pandemic – including running charter flights from China.

The company said it is in regular contact with the Australian Cyber Security Centre (ACSC) on the progress of the incident.

“As we continue to investigate the details of the ransomware attack that led us to disable various IT systems, we’re making good progress in rebuilding the core systems which underpin most of Toll’s online operations,” said the company. “This includes cleaning affected servers and systems, and restoring files from backups.”

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles