DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

Toll Group ransomware attack (Nefilim variant)

6 May 2020 · Melbourne, Australia
Satellite Imagery © Esri

What happened

On 5 May 2020 Toll Group, the Australian logistics and freight company, disclosed that it had shut down certain IT systems after detecting unusual activity on a number of servers. Working with security experts, it identified the cause as Nefilim, a ransomware variant first seen in early 2020 and typically spread through poorly secured Remote Desktop Protocol connections. Toll stressed the incident was unrelated to a separate Mailto (Netwalker) ransomware attack it had suffered in late January 2020. Customer-facing services including the MyToll portal were taken offline, and the company ran on manual and business-continuity processes for much of the week.

Toll stated from the outset that it had no intention of engaging with any ransom demand, consistent with advice from cybersecurity experts and government authorities, and said it was working with the Australian Cyber Security Centre and Australian Federal Police. The company later confirmed that attackers had accessed at least one corporate server holding information on some past and present employees and details of commercial agreements with some current and former enterprise customers.

After Toll refused to pay, the Nefilim operators published stolen Toll data to their Tor-based 'Corporate Leaks' site, with the gang claiming more than 200GB of archived files. Toll acknowledged the publication and said it would notify and support affected parties.

Assessment

This was a financially motivated criminal ransomware operation by the Nefilim group, using double-extortion (encryption plus data theft and a public leak site). There is no established state attribution, and Toll itself treated it as a criminal cyber incident. Its significance lies in the disruption to a major logistics provider and in being a second ransomware breach within months, underscoring how unremediated network weaknesses and exposed RDP can leave critical supply-chain operators repeatedly exposed. The leak of employee and commercial data illustrates the escalating data-extortion model.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.