Pierluigi Paganini
May 06, 2020
The Australian transportation and logistics giant Toll Group informed its customers that it has shut down some IT systems after a new ransomware attack, it is the second infection disclosed by the company this year.
The Toll Group is an Australian transportation and logistics company with operations in road, rail, sea, air, and warehousing, it is a subsidiary of Japan Post Holdings and has over 44,000 employees.
Toll staff discovered the infection after noticing unusual activity on some servers, further investigation revealed the presence of the Nefilim ransomware.
The Nefilim ransomware appeared in the threat landscape at the end of February, it borrows its code from other malware, the Nemty ransomware.
Nefilim will encrypt a file using AES-128 encryption, then the AES encryption key is encrypted using an RSA-2048 public key that is embedded in the ransomware executable.
The encrypted AES key will be included in the contents of each encrypted file. Nefilim appends the .NEFILIM extension to the file name, it also adds the “NEFILIM” string as a file marker to all encrypted files.
The transportation giant confirmed that it will not pay the ransom, fortunately it seems that threat actors did not exfiltrate data from the infected servers.
The company says it does not plan on paying any ransom demands and claims it has found no evidence that data has been exfiltrated from its network.
Nefilim operators, like other threat actors, threaten victims to release stolen data if they don’t pay the ransom in seven days. The same tactic was already adopted by other ransomware gangs, including the Maze Group, Nemty gang, DoppelPaymer, and Sodinokibi crews.
Toll has shut down its MyToll portal and is currently removing the threat from its systems before restoring data from backups.
“As we continue to investigate the details of the ransomware attack that led us to disable various IT systems, we’re making good progress in rebuilding the core systems which underpin most of Toll’s online operations. This includes cleaning affected servers and systems, and restoring files from backups.” reads the statement published by the company.
“In the meantime, our business continuity and manual processes are keeping services moving across many parts of the network although, regrettably, some customers are experiencing delays or disruption. At this stage, freight shipments are largely unaffected and parcel deliveries are running essentially to schedule based on normal pick-up and delivery processes. Parcel tracking and tracing through the MyToll portal remains offline. We are prioritising the movement of essential items, including medical and healthcare supplies into the national stockpile for COVID-19 requirements. This includes running charter flights from China.”
While some customers are experiencing delays or disruption, Toll confirmed that freight shipments and parcel deliveries are largely unaffected. The company is prioritizing the delivery of essential items, such as medical and healthcare supplies for the COVID-19 requirements.
“We’re working closely with our large enterprise customers whose services are affected and, for our SME customers and consumers, we’re providing updates on work-around processes through our digital and social channels including Toll’s company and MyToll websites,” continues the statement. “We expect to maintain current business continuity and manual processing arrangements through the week, and we are in regular contact with the Australian Cyber Security Centre (ACSC) regarding the investigation and recovery process.”
In February, the Toll Group has suffered another ransomware attack that forced it to shut down part of its services, but the two incidents are unrelated.
Other shipping companies suffered ransomware attacks in recent years, including MSC (April 2020), Pitney Bowes (October 2019), COSCO (July 2018),
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Toll, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
