The “Toll Group” Falls Victim to the Nefilim Ransomware Gang

• The Australian transportation and logistics firm “Toll Group” has succumbed to the Nefilim ransomware actors.
• The organization has stated that Nefilim didn’t manage to exfiltrate its files, so they’re not paying them a dime.
• The customer-facing apps and some internal systems are still in the process of getting restored.

The “Toll Group” has announced the second security lapse within four months, and this time it is an infection from the Nefilim ransomware. The attack occurred on May 5, 2020, with Toll’s IT team taking down all systems as a precautionary step. Immediately, the firm decided not to engage with the actors behind Nefilim, saying that they will not negotiate any ransom demands. Their initial investigation showed that the actors hadn’t managed to exfiltrate data from Toll’s systems, so they wouldn’t have any way to apply further pressure.

Yesterday, Toll’s experts performed system cleaning and file restoration from backups, while business operations turned to manual processes, so some delays for the customers were inevitable. Toll Group is Australia’s largest transportation and logistics company, moving freight through the sea, air, and land. During the COVID-19 pandemic, the business of goods transportation is one of the few types that remained active and also crucial. Considering this, the targeting of Toll by the Nefelim ransomware group must not have been random.

We’ve disabled MyToll as we look into a ransomware issue. We’ve put steps in place to keep things moving through the week. We apologise for the disruption and appreciate your patience.

— Toll Group (@Toll_Group) May 5, 2020

Today, Toll announced that its IT systems are being gradually restored, but they are still in the process of testing the customer-facing apps, and this will take another week. It means that parcel tracking and tracing through the “MyToll” portal remains offline, and customers are advised to call Toll and ask for details instead. Similarly, clients won’t be able to access their invoices online, and there will be no “Proof of Delivery” and no email communication. Even Toll’s employees will have to rely on workarounds for the time being, as cloud-based platforms and email servers haven’t been fully restored yet.

Charles Ragland of Digital Shadows told us that Toll must have left an exposed Remote Desktop Protocol (RDP) connection, as this is the main attack vector used by the Nefilim ransomware. As he commented: “For attacks that target RDP, organizations should look to reduce their attack surface by disabling RDP on machines where it isn't necessary, use an RDP Gateway, and enable Network Level Authentication for RDP connections.”

Rui Lopes of Panda Security expressed his surprise when asked to comment about a second attack on Toll Group. As he characteristically said: “After the first attack, a thorough forensic analysis should have determined where security protections and protocols failed, and subsequently should have rolled out next-generation endpoint security on all endpoints. In the case of ransomware, lightning can strike twice, and there’s no grace period that’s honored before the next attack.”