Second ransomware strike is déjà vu for Australian logistics giant Toll

Three months after crippling Mailto ransomware strike, customer systems are once again down as Nefilim threatens possible data dump.

ransomware attack
Andrey Popov / Getty Images

Package-tracking capabilities remain disabled for customers of Australian logistics giant Toll Group, and the organization could be running on manual processes until at least the end of the week, after the company was crippled by a ransomware attack for the second time this year.

The company shut down several IT systems on 5 May after detecting “unusual activity” that was subsequently confirmed to be an attack of the new Nefilim ransomware — a variant of the Nemty 2.5 malware that, according to Trend Micro, is distributed through exposed Remote Desktop Protocol (RDP) ports.

Nefilim not only encrypts data, but transmits it back to its authors — who threaten infected companies with publication of their sensitive data if they don’t pay the ransom.

Such ‘double extortion’ attacks have become increasingly common in recent months as cybercriminals look for new ways to put pressure on their victims.

Toll “has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network,” the company said in an update about the attack.

IT staff are cleaning affected servers and systems, and restoring files from backups, Toll said in apologising for delays to customers and the inaccessibility of parcel tracking and tracing through its now-offline MyToll customer portal.

Freight shipments are “largely unaffected” and parcel deliveries “are running essentially to schedule based on normal pick-up and delivery processes,” the company said.

This latest infection, which Toll says is “unrelated” to a devastating ransomware incident on 31 January that forced it to pull systems offline and interrupted services after systems were infected with the Mailto ransomware — which led the Australian Cyber Security Centre (ACSC) to publish an advisory about the trend.

Rival Henning Harders also suffered a ransomware attack this year, reporting in mid March that it had been hit by an “organised attack” by ransomware authors the Maze group. Online automobile auction firm Manheim Auctions also suffered a shutdown in March after being hit by ransomware.

Human infection with viruses can render them invulnerable to reinfection, but the reinfection of Toll Group servers — including, again, those supporting its core MyToll booking engine — is a reminder that computer malware infections don’t work the same way.

Copyright © 2020 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline