Large hangar warehouse showing ransomware attack on Toll Group

Toll Group’s Operations Shut Down by Yet Another Ransomware Attack

The Australian logistics giant Toll Group has experienced another ransomware attack causing unexpected delays to its customers. This is the second ransomware attack to strike the company within three months. Toll Group is a Japan Post Holdings subsidiary and operates in 50 countries with more than 1,200 locations and 40,000 employees. Various ecommerce giants such as eBay use the transport company to dispatch their cargos across the world. The attack involved Nefilim ransomware, which is a new form of ransomware that exploits Remote Desktop Connections (RDP) to infiltrate the target system.

Toll Group ransomware attack timeline

Toll Group shut down various systems after detecting unusual activity on its systems. The company later released a statement informing customers of possible inconveniences because of a ransomware attack on its core systems.  According to the statement, deliveries and freights were not affected, although MyToll portal remains offline. The shutdown prevented customers from tracking their parcels online. Toll Group said it would prioritize the most urgent deliveries, especially for COVID-19 related items. The global logistics company said no data was extracted from its systems, and it was in contact with the Australian Cyber Security Centre (ACSC) to investigate the incident. The logistics giant, however, rejected ransomware demands.

“Toll has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network,” the statement read in part.

Consequently, Toll opted to switch to the manual system while cleaning its servers and restoring its systems from backup files. The recent ransomware attack also prompted the rebuilding of the core systems to prevent any lurking threats from executing another attack.

Toll later released an update announcing the completion of a critical restoration step. The company also said it had established an external mail system to allow communication with employees working on its cloud platforms.

Nefilim ransomware attack indicators of compromise (IOC)

The Nefilim ransomware operators infiltrated the system through vulnerable RDP servers before expanding to other attack methods.

Other ransomware operators such as SamSam have exploited the same attack vector by brute-forcing passwords of exposed systems.

Nefilim uses the AES-128 encryption method to lock the users’ files before demanding payment.  The ransomware has similar features to Nemty ransomware, although lacking the ransomware-as-a-service component. The operation of Nefilim ransomware implies code sharing with Nemty ransomware after the latter ceased public operations and switched to private mode.

The Nefilim group operates like Maze ransomware through double extortion. The method involves not only encrypting the users’ files but also threatening to publish the data online through name and shame tactics. Companies have seven days after the ransomware attack to make payments before the cyber criminals release the data.

Toll Group experienced a similar ransomware attack on February 3 involving the MailTo ransomware, also known as NetWalker. Unlike Nefilim ransomware that could take months before executing the final attack, NetWalker starts the encryption process instantly after infiltrating the system.

The online publishing of sensitive data could be very disastrous not only to the company’s data but also credibility. It also exposes customers to the possibility of financial losses when credit card information is released online.

The frequency of cyber-attacks affecting the company is a worrying trend suggesting a persistent vulnerability in the company’s computer systems.

Despite the concerns of the consistency of the attacks on Toll Group, Rui Lopes, Engineering and Technical Support Director at Panda Security, says the frequency of the attacks is not at all surprising.

“When large companies are specifically targeted by hackers, their business can literally be under attack every day, so it’s no surprise that a second ransomware attack on Toll Group occurred. However, after the first attack, a thorough forensic analysis should have determined where security protections and protocols failed, and subsequently should have rolled out next-generation endpoint security on all endpoints. In the case of ransomware, lightning can strike twice, and there’s no grace period that’s honored before the next attack.”

Mitigating ransomware threats

Ransomware attacks pose a significant threat against many companies in the United States.  Over 1,000 companies reported ransomware attack as a forward-looking threat in U.S. Securities Exchange Commission filings within the past 12 months.

Companies can mitigate attacks such as the Nefilim ransomware attack, by disabling RDP when not in use, or by utilizing an RDP gateway. Enabling Network Level Authentication for RDP connections would also diminish the success of such an attack.

Fausto Oliveira, Principal Security Architect at Acceptto points out the seriousness of the attack and the maliciousness of the threat actors:

“This is a serious incident that targets a very important part of the supply chain. To perform an attack such as this during the Covid-19 epidemic is not only criminal, it shows a heightened degree of callousness and disregard for human life.”

Oliveira explains how the various attack vectors could give a ransomware access to a system.

“Reading the analysis provided by TrendMicro, the vector used to deploy the malware is either by the victim downloading the payload from a malicious URL or via a malware dropper. In lack of greater detail it leads to three hypothesis:

  • Either the executable payload was downloaded mistakenly by a user and it was not caught because web gateways are not being used or are misconfigured;
  • Some zero day dropper was used that exploits a vulnerabilities and allows the ransomware to be dropped into the production environment and the endpoint protection solution didn’t detect the execution of the malware; and
  • There is an surface of attack that is open and exploitable which wouldn’t be the case given the previous incident.

“The first hypothesis can be addressed by reviewing existing security controls and establishing processes to change how executable payloads can be denied at the point of entry. The second hypothesis requires further analysis, however, some controls such as whitelisting payloads, OS monitoring tools and modern EDR tools, should have stopped the infection in its tracks, preventing it from affecting further assets. The third, if true, shows that there is more effort required by the Toll Group to perform a thorough review of the surfaces of attack open to external and internal actors and start using security controls such as micro segmentation and zero trust to avoid a repeat of this incident.”