Toll Group has revealed attackers behind its latest run-in with ransomware managed to exfiltrate current commercial agreements and employee data from at least one server.
The logistics giant confirmed the data loss in a statement late Tuesday.
The company was hit with a type of malware known as Nefilim at the start of last week.
One of the characteristics of attacks that use Nefilim is that victims are given a week to pay a ransom or wind up seeing stolen documents on the dark web.
Toll Group already said it would not pay a ransom, and was likely relying on data not being stolen to avoid the second part of the attack.
However, the company said today that “ongoing investigations have established that the attacker has accessed at least one specific corporate server.”
“This server contains information relating to some past and present Toll employees, and details of commercial agreements with some of our current and former enterprise customers,” it said.
“The server in question is not designed as a repository for customer operational data.”
The company’s comments suggest backups may have been placed on servers outside of corporate retention policies.
“At this stage, we have determined that the attacker has downloaded some data stored on the corporate server, and we are in the process of identifying the specific nature of that information,” Toll Group said.
“The attacker is known to publish stolen data to the ‘dark web’. This means that, to our knowledge, information is not readily accessible through conventional online platforms.
“Toll is not aware at this time of any information from the server in question having been published.”
The company’s managing director Thomas Knudsen called the attack an “unscrupulous act”.
“We condemn in the strongest possible terms the actions of the perpetrators,” he said.
“This is a serious and regrettable situation and we apologise unreservedly to those affected.
“I can assure our customers and employees that we’re doing all we can to get to the bottom of the situation and put in place the actions to rectify it.”
Knudsen said it could take “weeks” to get to the bottom of the data exfiltration - a fresh blow for the company as its recovery efforts stretched into a second week.
“Given the technical and detailed nature of the analysis in progress, Toll expects that it will take a number of weeks to determine more details,” he said.
“We have begun contacting people we believe may be impacted and we are implementing measures to support individual online security arrangements.”
Toll Group said it is working with the Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP), and is determining its regulatory disclosure obligations.
Tracing Nefilim
Brett Callow, a threat analyst with Emsisoft, a maker of anti-malware tools, told iTnews that Nefilim appeared in March and is based on code used by a now-shuttered ransomware operation known as Nemty.
"While an obvious conclusion would be that the operators are the same, that may not be the case," Callow said.
"The Nefilim group seem to be more sophisticated than Nemty and their victim profile is somewhat unusual.
"While most groups attack mix of large and smaller businesses, Nefilim has so far only posted details of attacks on larger enterprises such as Toll, Cosan and MAS holdings."
Callow said Nefilim's encryption is secure - "meaning data cannot be recovered via third-party tools".
"Attacks such as this in which data is both encrypted and (possibly) exfiltrated are increasingly common and extremely problematic," he said.
"The stolen data often includes information relating to a company’s customers and business partners, and may be sold or traded on the dark web, sold to competitors or used in spear phishing attacks or BEC [Business Email Compromise] scams.
"Consequently, such incidents should be regarded as data breaches from the outset and those whose data may have been exposed advised accordingly."
Nefilim is Toll Group's second encounter with ransomware in 2020, after earlier spending the best part of six weeks recovering from a Mailto ransomware infection.
.png&h=141&w=208&c=1&s=1)
