Toll Group has confirmed they suffered a ransomware attack for the second time in four months. 

According to the company, Toll Group took the precautionary step of shutting down certain IT systems after unusual activity on some of servers was detected. Later, Toll Group confirmed the attack was a new form of ransomware known as Nefilim. Charles Ragland, security engineer at Digital Shadows, explains that “Nefilim is a relatively new ransomware variant that was first identified in March 2020. Notably, current reports suggest Nefilim uses exposed Remote Desktop Protocol (RDP) connections for infection. This attack vector has previously been used by ransomware variants like SamSam, where attackers would brute-force passwords for machines exposed via RDP. For attacks that target RDP, organizations should look to reduce their attack surface by disabling RDP on machines where it isn't necessary, use an RDP Gateway, and enable Network Level Authentication for RDP connections.”

"This is unrelated to the ransomware incident we experienced earlier this year. Toll has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network. We are in regular contact with the Australian Cyber Security Centre (ACSC) on the progress of the incident," the company said. 

In an update, Toll Group noted that they completed an important step in the restoration of IT systems with the full and secure reactivation of one of  their core IT systems which underpins most of the company’s online operations. And as such, they are planning for business continuity and manual processes to continue into next week to keep services moving as thwork towards they e full and secure reactivation of the online systems.

The company added that they continue to work through the scanning and testing of servers which they will gradually and securely bring back online. In addition, Toll says, they have re-established external email into the company, and email access for Toll employees who operate on their cloud-based platforms is being progressively restored. Work is continuing on restoring remaining email servers.

Rui Lopes, Engineering and Technical Support Director at Panda Security, claims that, “When large companies are specifically targeted by hackers, their business can literally be under attack every day, so it’s no surprise that a second ransomware attack on Toll Group occurred. However, after the first attack, a thorough forensic analysis should have determined where security protections and protocols failed, and subsequently should have rolled out next-generation endpoint security on all endpoints. In the case of ransomware, lightning can strike twice, and there’s no grace period that’s honored before the next attack.”

Fausto Oliveira, Principal Security Architect at Acceptto, noted that the Toll Group is able to restore their operational environment from backup by using their Business Disaster Recovery plan. "It is also good that they acted swiftly and brought down affected systems, hopefully minimizing the spread of the ransomware."

On a less positive side, Oliveira adds, "we have an organization that has been affected for six days with all the financial and reputational consequences this incident brings not only to them but also to their customers and consumers. The fact that they have been attacked twice by what seems to be tailored ransomware opens the question of how is this possible, i.e. how did the malware manage to get into the organization and why weren't more robust processes in place to avoid this malware being dropped into the environment?"

Reading the analysis provided by TrendMicro, says Oliveira, the vector used to deploy the malware is either by the victim downloading the payload from a malicious URL or via a malware dropper. And in lack of greater detail it leads to three hypothesis, notes Oliveira: 

  • Either the executable payload was downloaded mistakenly by a user and it was not caught because web gateways are not being used or are misconfigured
  • Some zero day dropper was used that exploits a vulnerabilities and allows the ransomware to be dropped into the production environment and the endpoint protection solution didn't detect the execution of the malware
  • There is an surface of attack that is open and exploitable which wouldn't be the case given the previous incident.

"The first hypothesis can be addressed by reviewing existing security controls and establishing processes to change how executable payloads can be denied at the point of entry," Oliveira says,"The second hypothesis requires further analysis, however, some controls such as whitelisting payloads, OS monitoring tools and modern EDR tools, should have stopped the infection in its tracks, preventing it from affecting further assets. The third, if true, shows that there is more effort required by the Toll Group to perform a thorough review of the surfaces of attack open to external and internal actors and start using security controls such as micro segmentation and zero trust to avoid a repeat of this incident.”