Euro Security Watch with Mathew J. Schwartz

Breach Notification , Cybercrime , Cybercrime as-a-service

Toll Group Data Leaked Following Second Ransomware Incident

To Suffer One May Be Regarded As a Misfortune; To Suffer Two Looks Like Carelessness
Toll Group Data Leaked Following Second Ransomware Incident
The Nefilim ransomware gang has begun leaking data stolen from Toll Group, suggesting that the organization failed to lock down its network following a recent, previous ransomware outbreak.

With apologies to Oscar Wilde: "To suffer one ransomware outbreak may be regarded as a misfortune; to suffer two looks like carelessness."

See Also: Identity Security Clinic

Australian shipping giant Toll Group recently suffered its second ransomware attack of the year, with Thomas Knudsen, the company's managing director, branding the latest attack as being "serious and regrettable."

But was it preventable?

Toll Group, which is owned by Japan Post, has operations in over 50 countries and about 40,000 employees worldwide. The company first disclosed the second ransomware outbreak on May 5, warning that it had been hit by the Nefilim gang, which was threatening to leak stolen data unless the company paid a ransom.

Photo: Toll Group

The attack came about six weeks after Toll Group suffered a Mailto - aka Netwalker - ransomware attack, which disrupted operations for weeks.

As with the earlier ransomware outbreak, Toll Group vowed to not pay any ransom.

Nefilim Leaks Stolen Data

In response, on Wednesday, the Nefilim operators began leaking stolen Toll Group data to the gang's dedicated "Corporate Leaks" .onion site, a so-called darknet site reachable only via the anonymizing Tor browser, which is free and easy to download (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).

"Toll Group failed to secure their network even after the first attack. We have more than 200 GB of archives of their private data," the Nefilim gang claims on its leak site.

Dumped data includes a list of supposedly stolen files from a "corporate finance" directory with names that appear to refer to annual financial reports, cash flow statements, invoices for drug-screening and reports to the board of directors. Nefilim also released a 2 GB "TOLLGROUP_leak_part1" archive containing alleged samples of stolen data.

Toll Group has confirmed the leak. "Following our announcement last week that a ransomware attacker had stolen data contained on at least one Toll corporate server, our ongoing investigation has established that the attacker has now published to the dark web some of the information that was stolen from that server," the company says in a Wednesday statement. "As a result, we are now focused on assessing and verifying the specific nature of the stolen data that has been published. As this assessment progresses, we will notify any impacted parties as a matter of priority and offer appropriate support."

Security firm Trend Micro says Nefilim, which was first spotted about two months ago, appears to be run as a closed operation. That's in contrast to ransomware-as-a-service operations such as Sodinokibi - aka REvil - that involve operators giving software to affiliates, then sharing profits.

Pitney Bowes Hit Twice Too

Photo: Straticom Planning via Flickr/CC

Another organization that recently got hit by ransomware for the second time is Stamford, Connecticut-based Pitney Bowes.

The mailing equipment manufacturer, which booked $3.2 billion in 2019 revenue, was previously hit by ransomware in October 2019, and didn't name the strain used against it, although media reports suggested it was Ryuk. The company has blamed the most recent attack on the Maze gang (see: Pitney Bowes Battles Second Ransomware Attack).

The Maze gang has posted screenshots of Pitney Bowes directories, suggesting that it exfiltrated data before crypto-locking systems at the company.

Repeat-Outbreak Blues

How many organizations have been hit twice in short order? That question is tough to answer because many ransomware attacks never come to light. Sometimes, attackers don't name and shame victims. Other times, victims pay up in return for the promise of a decryptor, and also to have their name and data removed from any leak sites (see: Ransomware Reminder: Paying Ransoms Doesn't Pay).

But seeing an organization fall victim to two attacks in a relatively short period of time may indicate that the attackers, or at least their remote access to the victim's network, never really went away.

This can trace to organizations failing to conduct a full incident response investigation into the attack and identifying how attackers got in, and ensuring that their access has been expunged from all systems (see: Surviving a Breach: 8 Incident Response Essentials).

"You need to identify and understand how the attack occurred, rather than just dealing with the outfall of the ransomware," says incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements. Otherwise, attackers may be able to easily return.

"Ransomware groups frequently leave behind backdoors to maintain post-attack access to the networks they have compromised, and this is one of the reasons we recommend that companies completely rebuild their networks rather than simply decrypting their data," says Brett Callow, a threat analyst at security firm Emsisoft. "The backdoors are typically 'owned' by affiliates, and those affiliates may change allegiance or sell or trade them with other groups."

Prevalent Attack Tactics

While tactics vary, Stubley says ransomware outbreaks typically trace to one of two attack vectors: smash and grab, or more advanced intrusions. Understanding which one happened is key to ensuring attackers can't easily infiltrate a network again (see: 10 Ransomware Strains Being Used in Advanced Attacks).

"A smash-and-grab type of approach is where somebody has managed to get an end user to execute an executable that is the ransomware package in its own right, so they've opening up a tainted spreadsheet, and that causes the ransomware to instantly start encrypting files on the machine," Stubley tells me. In that case, remediating the attack may be as simple as removing the ransomware, wiping affected systems and restoring from backups.

"That's different from some group that has used malware to gain an initial foothold on a network, where they're not deploying the ransomware initially - they're doing it at a later date. So the malware gives them remote control of an asset and then they deploy further tools, and one of those tools may eventually be ransomware," he says. "But before that, they're going to be doing network enumeration, credential theft, lateral movement, and some of the threat-actor groups will be understanding what they compromised first, before they head to ransom."

Hence ransomware is often the final stage in a much longer attack chain. Weeks or months earlier, an attackers may have gained access to the victim's network via a phishing attack, or by brute-forcing weak remote desktop protocol credentials, or by buying stolen RDP credentials from others on cybercrime forums (see: Why Are We So Stupid About RDP Passwords?).

Next, the same attacker - or someone else to whom they've sold access - may map the victim's network, searching for valuable data to exfiltrate and potentially sell. Subsequently, the same attacker - or someone else to whom they've sold access - may install ransomware on as many endpoints as possible.

That's why a ransomware outbreak may just be part of the bigger cybersecurity problems facing an organization, unless it has correctly traced how the attack occurred and strengthened its systems and practices to prevent follow-on or repeat attack attempts.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.