Toll Group may have lost over 200GB of data in ransomware attack

Toll Group may have lost over 200GB of corporate data to the Nefilim attackers, who have now started to dump it onto the web after failing to secure a ransom from the company.

In a brief note to a leak site on Wednesday, the attackers released a compressed archive along with a text file listing documents stolen from Toll, which they described as “part one”.

They also appeared to suggest they were able to exploit the same vulnerability in Toll’s infrastructure as a previous set of attackers.

“Toll Group failed to secure their network even after the first attack. We have more than 200GB of archives of their private data,” the Nefilim attackers claimed.

Given the attacks on Toll have been by two different ransomware groups - first Mailto, and now Nefilim - the commentary could suggest the Nefilim attackers were able to make use of a backdoor set up by the Mailto attackers, which was not detected or closed between the attacks.

"A major company being hit by two different ransomware groups within a relatively short space of time is highly unusual but not without precedent," said Brett Callow, a threat analyst at security firm Emsisoft.

"It’s not at all unusual for groups to leave behind backdoors. The backdoors are typically 'owned' by affiliates who may change allegiance or sell or trade them with other groups.

"Consequently, a successful attack by one group could potentially result in a successful attack by another.

"This is one of the reasons that we strongly recommend that companies completely rebuild their networks post incident."

It is unclear how much of Toll’s environment was rebuilt in response to the initial Mailto incident.

Toll Group said it is attempting to verify the data that has been published.

“Following our announcement last week that a ransomware attacker had stolen data contained on at least one Toll corporate server, our ongoing investigation has established that the attacker has now published to the dark web some of the information that was stolen from that server,” a company spokesperson told iTnews late Wednesday.

“As a result, we are now focused on assessing and verifying the specific nature of the stolen data that has been published.

“As this assessment progresses, we will notify any impacted parties as a matter of priority and offer appropriate support.”

Toll Group was hit with a Nefilim ransomware infection earlier this month. One of the hallmarks of the attack is to exfiltrate and publish data if a ransom is not paid, often within as little as one week.

The company confirmed on May 12 that commercial data had been stolen and that it was anticipating the files being published.