New tweak of ransomware has been reported of hitting some countries’ supply chain companies

The way ransomware used to work was that the attackers would block access to the victim’s data by encrypting it and thereby making it unavailable. The attackers would then request a ransom for a decryption key so that the locked data could be made available again. However, with the so-called Nefilim ransomware that was discovered in March this year, a new tactic was introduced which now has become mainstream. The attackers create so called “leak sites” where they upload the documents from the victims who refuse to pay the ransom for the decryption key. This kind of new tactic is called “double extortion”. Other ransomware which now has adopted this scheme are for example Sodinkibi and DoppelPaymer. 

The Toll Group, which is an Australian transportation and logistics company operating globally in road, rail, sea, air and warehousing, has experienced two ransomware attacks this year, the latter one being the Nefilim ransomware where the attackers threatened to leak the company information if the Toll Group did not pay the ransom within one week [1]. The first ransomware attack, detected in the beginning of February this year, was the so called NetWalker (also known as MailTo) ransomware where 1’000 of the Toll Group’s servers got infected. After the second attack the Nefilim attackers claimed: “Toll Group failed to secure their network even after the first attack. We have more than 200GB of archives of their private data”. It is alleged that this comment could imply that the first NetWalker attack might have had set up an undetected “backdoor” which the Nefilim attackers later were able to make use of. 

Given the attacks on Toll have been by two different ransomware groups – first Mailto, and now Nefilim – the commentary could suggest the Nefilim attackers were able to make use of a backdoor set up by the Mailto attackers, which was not detected or closed between the attacks. 

On May 12 the Toll Group company confirmed that commercial data had been stolen and that it was anticipating the files being published [2] as they did not pay the ransom. Australian Cyber Security Center (ACSC) has taken note of the cyberattack and has started a probe. 

The next transportation and logistics company that recently has been hit by a data-stealing malware attack is the Canadian company: Manitoulin Transport. The attack was performed on July 30 this year, and the transport company’s IT staff became aware of the incident the next day [3]. The successful attack was the so-called Conti ransomware, which just as Nefilim, uses the “double extortion” tactics. But the Manitoulin Transport also decided not to pay the ransom as they did not believe the attackers had enough information of their concern. Since the attack the Manitoulin Group has taken additional measures to tighten its internal cybersecurity.

Written by Joakim Rosell