Cyber Incident Victim: Toll Group
Date:
May 2020
Location:
Australia
Summary
A global logistics company experienced two ransomware attacks within months, initially infected by MailTo (Netwalker) and later by Nefilim, a variant linked to exposed Remote Desktop Protocol. The second incident prompted system shutdowns after detecting unusual activity, disrupting customer tracking capabilities and forcing reliance on manual contingency processes for over a week. Core systems required rebuilding and disinfection, with restoration from backups rather than ransom payment. While freight operations remained largely functional, the attacks collectively highlighted persistent cybersecurity risks, though the company maintained no evidence of data exfiltration and reiterated its policy against negotiating with threat actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In early 2020, Toll Group, a global logistics company with operations in over 50 countries and approximately 40,000 employees, experienced its first ransomware attack on February 3. The incident involved the MailTo ransomware variant, also known as Netwalker, which rapidly encrypted files upon infection, forcing Toll to disable affected IT systems. This malware attack disrupted normal business operations, requiring Toll to undertake recovery efforts before eventually restoring services. The company publicly disclosed the incident, characterizing it as a malware infection that necessitated system-wide containment measures. Three months later, on May 5, Toll detected unusual activity on its servers, prompting another immediate shutdown of certain IT systems. Subsequent analysis revealed this to be a separate ransomware incident involving the Nefilim variant, which security researchers had first identified in March 2020 as an evolution of Nemty ransomware.
The May 2020 Nefilim attack leveraged different infection mechanisms, with evidence suggesting distribution through exposed Remote Desktop Protocol (RDP) configurations. This ransomware employed AES-128 encryption to lock files and utilized direct email communication for ransom demands rather than the Tor network. Toll Group reiterated its policy against paying ransoms, confirming no evidence of data exfiltration but acknowledging operational impacts including the extended outage of its MyToll customer portal, which disabled parcel tracking capabilities. While freight operations remained largely functional, the company activated contingency plans involving manual processing methods across its distribution network. Recovery efforts focused on rebuilding core systems, cleansing infected servers, and restoring data from backups rather than negotiating with attackers. These measures resulted in sustained disruptions projected to persist for at least the remainder of the week following detection, marking Toll's second major ransomware incident within a three-month period.