The “Toll Group” Falls Victim to the Nefilim Ransomware Gang

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The “Toll Group” has announced the second security lapse within four months, and this time it is an infection from the Nefilim ransomware. The attack occurred on May 5, 2020, with Toll’s IT team taking down all systems as a precautionary step. Immediately, the firm decided not to engage with the actors behind Nefilim, saying that they will not negotiate any ransom demands. Their initial investigation showed that the actors hadn’t managed to exfiltrate data from Toll’s systems, so they wouldn’t have any way to apply further pressure.

Yesterday, Toll’s experts performed system cleaning and file restoration from backups, while business operations turned to manual processes, so some delays for the customers were inevitable. Toll Group is Australia’s largest transportation and logistics company, moving freight through the sea, air, and land. During the COVID-19 pandemic, the business of goods transportation is one of the few types that remained active and also crucial. Considering this, the targeting of Toll by the Nefelim ransomware group must not have been random.

Today, Toll announced that its IT systems are being gradually restored, but they are still in the process of testing the customer-facing apps, and this will take another week. It means that parcel tracking and tracing through the “MyToll” portal remains offline, and customers are advised to call Toll and ask for details instead. Similarly, clients won’t be able to access their invoices online, and there will be no “Proof of Delivery” and no email communication. Even Toll’s employees will have to rely on workarounds for the time being, as cloud-based platforms and email servers haven’t been fully restored yet.

Charles Ragland of Digital Shadows told us that Toll must have left an exposed Remote Desktop Protocol (RDP) connection, as this is the main attack vector used by the Nefilim ransomware. As he commented: “For attacks that target RDP, organizations should look to reduce their attack surface by disabling RDP on machines where it isn't necessary, use an RDP Gateway, and enable Network Level Authentication for RDP connections.”

Rui Lopes of Panda Security expressed his surprise when asked to comment about a second attack on Toll Group. As he characteristically said: “After the first attack, a thorough forensic analysis should have determined where security protections and protocols failed, and subsequently should have rolled out next-generation endpoint security on all endpoints. In the case of ransomware, lightning can strike twice, and there’s no grace period that’s honored before the next attack.”



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: