Toll, a large Australian transportation company, was hit with a new ransomware attack, only three months after a previous incident. This time, the malware is named Nefilim, and attackers also stole data from the affected servers.
The first attack, which crippled the transportation company, took place on January 31. It took the firm months to fully recover from that event, and it now faces yet another ransomware attack, this time of a different nature.
If the first Mailto ransomware attack directly affected their entire infrastructure, on a global level, the second attack was more insidious, likely because the company took better security measures.
Toll revealed that hackers gained access to one of their servers, stole some data, and deployed the Nefilim ransomware. The affected systems are slowly being brought back online.
“Our ongoing investigations have established that the attacker has accessed at least one specific corporate server,” said Toll in a communique. “This server contains information relating to some past and present Toll employees, and details of commercial agreements with some of our current and former enterprise customers. The server in question is not designed as a repository for customer operational data.”
The investigation revealed that the attacker downloaded some data from the server, but they have yet to determine precisely what was stolen. The likely destination of the data is the “dark web” if it is ever put up for sale.
The company is already in the process of contacting the people and companies affected by the breach, and they’ve already announced that they have no intention of paying the ransom, which is line with the standing recommendations in such situations. Toll also notified the Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP) of the incident.