Breach Notification , Business Continuity Management / Disaster Recovery , Cybercrime

Toll Group Says Ransomware Attackers Stole Data

Australian Shipping Giant, Hit With Nefilim Ransomware, Vows to Not Pay Ransom
Toll Group Says Ransomware Attackers Stole Data
Source: Toll Group

Australian shipping giant Toll Group has vowed to again not pay a ransom after suffering its second ransomware attack of the year, which it first disclosed earlier this month.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

In the latest incident, however, the company warns that attackers also stole corporate data - and it may get leaked. But the company is still attempting to identify the "specific nature" of the information that was stolen from a server breached by attackers.

"This server contains information relating to some past and present Toll employees, and details of commercial agreements with some of our current and former enterprise customers," Toll Group says in a Tuesday statement. "The server in question is not designed as a repository for customer operational data."

Toll Group revealed the attack on May 5, saying it had been hit by Nefilim ransomware. The incident occurred about six weeks after the company suffered an attack involving Mailto ransomware - aka Netwalker - which hampered its operations for weeks (see: Australian Delivery Firm Confirms Ransomware Attack). The firm doesn't believe the two attacks are connected.

The latest attack is "serious and regrettable," says Thomas Knudsen, Toll Group's managing director. The company says it's now restored most shipping operations.

"We condemn in the strongest possible terms the actions of the perpetrators," Knudsen adds. "I can assure our customers and employees that we're doing all we can to get to the bottom of the situation and put in place the actions to rectify it."

Toll Group, which is owned by Japan Post, has operations in over 50 countries and about 40,000 employees worldwide. Company officials weren't available for further comment on why it had fallen victim to this second ransomware attack so soon after dealing with the previous one. With both attacks, the company vowed to not pay any ransom.

Newcomer: Nefilim Ransomware

The situation facing Toll Group is becoming far more common: Ransomware gangs are not just crypto-locking computers, but first stealing sensitive data that they can use as part of efforts to name and shame victims, or to trickle out stolen data, to try and force them to pay a ransom (see Ransomware Attackers Exfiltrate Data From Magellan Health). While the Maze ransomware gang first began this practice last October, since then, many more crime gangs have also adopted these tactics (see: More Ransomware Gangs Join Data-Leaking Cult).

The Nefilim ransomware used in the latest attack against Toll Group, which was first spotted by security researchers two months ago, appears to be based on the code of another type of ransomware, Nemty, according to the security firm SentinelOne. But while Nemty is a ransomware-as-a-service operation, meaning criminal affiliates subscribe to receive the latest versions, Nefilim appears to be run as a standalone or closed operation, according to security firm Trend Micro.

Another Nemty spinoff, meanwhile, is called Nephilim, but it's unclear how or if it's connected to Nefilim's operations, according to Jim Walter, a senior threat researcher with SentinelOne.

Security researchers say Nefilim often gets spread via poorly secured remote desktop protocol endpoints (see: Why Are We So Stupid About RDP Passwords?).

"Once the attackers have compromised the environment via RDP, they then proceed to establish persistence, to locate and exfiltrate additional credentials where possible, and then to deliver the ransomware payloads to their intended targets," Walter says.

But determining how attackers get in isn't easy. Trend Micro reports that one Nefilim attack it investigated in March could have involved RDP, but also could have involved some other form of remote access.

Risk: Stolen Data Gets Dumped

In its statement about the May ransomware attack, Toll Group says that the Nefilim "attacker is known to publish stolen data to the 'dark web,'" adding that "this means that, to our knowledge, information is not readily accessible through conventional online platforms."

Despite that assertion, however, security experts say any data that gets released by attackers is all too readily available. Nefilim already operates a payment site reachable only via the anonymzing Tor browser, and appears to have done the same for its leak site. While Tor sites are often referenced as being "hidden" websites, recognizable via their special ".onion" top level domain, anyone can download the Tor browser and navigate to such sites.

On April 10, Beenu Arora, founder of the threat intelligence platform Cyble, tweeted that Nefilim was behind an attack against MAS Holdings, a lingerie manufacturer. Attackers published stolen data to a Tor site called Corporate Leaks, which also listed several other companies on the site with alleged samples of their stolen data, he said.

A screenshot of Corporate Leaks, where data stolen from Nefilim's ransomware victims has been published

So far, Toll Group's data hasn't appeared on Nefilim's Corporate Leaks site. But Bleeping Computer reports that in the past, Nefilim's operators have given victims one week to pay before they progress to attempting to name and shame the victim and release some data they've stolen to try and force payment.

On Tuesday, one week after Toll Group said it had been hit by Nefilim, the company vowed to not pay any ransom.

"Toll has refused from the outset to engage with the attacker's ransom demands, which is consistent with the advice of cybersecurity experts and government authorities," the company says.

Repeat Incidents: Cause for Concern

Toll Group isn't the only firm to have suffered multiple ransomware incidents in a relatively short period. In recent days, mailing equipment manufacturer Pitney Bowes has said it is battling a second ransomware attack, blamed on Maze, after being hit previously by ransomware in October 2019. For the prior attack, Pitney Bowes did not name the strain used against it, but according to some news reports, it may have been Ryuk (see: Pitney Bowes Battles Second Ransomware Attack).

Falling victim to two separate ransomware attacks in a relatively short space of time is no smoking gun. But Brett Callow, a threat analyst with Emsisoft, told Information Security Media Group this week that it may indicate that the original attackers left in place a backdoor that was discovered by other attackers. Or the original attackers might have resold the access to other criminals, which many security experts say is a common practice.

"Ransomware groups frequently leave behind backdoors to maintain post-attack access to the networks they have compromised, and this is one of the reasons we recommend that companies completely rebuild their networks rather than simply decrypting their data," Callow said. "The backdoors are typically 'owned' by affiliates, and those affiliates may change allegiance or sell or trade them with other groups."

Recovery Continues

What lessons Toll Group learned from the prior attack, or improvements in its defenses or incident recovery processes that it might have put in place, as yet remain unclear. But by Thursday, Toll Group reported that it had achieved a "full and secure reactivation of one of our core IT systems which underpins most of the company's online operations."

The same day, it also was able to re-establish incoming email services, although it said it was still working to regain email access for cloud-based platforms and other servers. The ransomware also knocked out parcel tracking and tracing on its portal.

As of Monday, however, Toll Group said that while it was still experiencing some shipping delays, most freight shipments and parcel deliveries were functioning as normal. Its call centers were also taking bookings over the phone. But it warned that getting to the bottom of the latest incident "will take a number of weeks."

Executive Editor Mathew Schwartz contributed to this report.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.