New tweak of ransomware has been reported of hitting some countries’ supply chain companies

News

October 6, 2020

The way ransomware used to work was that the attackers would block access to the victim’s data by encrypting it and thereby making it unavailable. The attackers would then request a ransom for a decryption key so that the locked data could be made available again. However, with the so-called Nefilim ransomware that was discovered in March this year, a new tactic was introduced which now has become mainstream. The attackers create so called “leak sites” where they upload the documents from the victims who refuse to pay the ransom for the decryption key. This kind of new tactic is called “double extortion”. Other ransomware which now has adopted this scheme are for example Sodinkibi and DoppelPaymer. 

The Toll Group, which is an Australian transportation and logistics company operating globally in road, rail, sea, air and warehousing, has experienced two ransomware attacks this year, the latter one being the Nefilim ransomware where the attackers threatened to leak the company information if the Toll Group did not pay the ransom within one week [1]. The first ransomware attack, detected in the beginning of February this year, was the so called NetWalker (also known as MailTo) ransomware where 1’000 of the Toll Group’s servers got infected. After the second attack the Nefilim attackers claimed: “Toll Group failed to secure their network even after the first attack. We have more than 200GB of archives of their private data”. It is alleged that this comment could imply that the first NetWalker attack might have had set up an undetected “backdoor” which the Nefilim attackers later were able to make use of. 

Given the attacks on Toll have been by two different ransomware groups – first Mailto, and now Nefilim – the commentary could suggest the Nefilim attackers were able to make use of a backdoor set up by the Mailto attackers, which was not detected or closed between the attacks. 

On May 12 the Toll Group company confirmed that commercial data had been stolen and that it was anticipating the files being published [2] as they did not pay the ransom. Australian Cyber Security Center (ACSC) has taken note of the cyberattack and has started a probe. 

The next transportation and logistics company that recently has been hit by a data-stealing malware attack is the Canadian company: Manitoulin Transport. The attack was performed on July 30 this year, and the transport company’s IT staff became aware of the incident the next day [3]. The successful attack was the so-called Conti ransomware, which just as Nefilim, uses the “double extortion” tactics. But the Manitoulin Transport also decided not to pay the ransom as they did not believe the attackers had enough information of their concern. Since the attack the Manitoulin Group has taken additional measures to tighten its internal cybersecurity.

Written by Joakim Rosell

Related Articles

Related

Cyber security in a complex world

Cyber security in a complex world– an event by Swedsoft and Scania The conference aimed to address the increased demand on cybersecurity in today’s vehicles, bringing together industrial, academic and public sector organizations to talk about experiences and insights...

read more

Hacking EVs could threaten the power grid

Hacking EVs could threaten the power grid   In mid-June last summer, cybersecurity researchers warned that the growing popularity of electric vehicles could introduce new hacking vulnerabilities in the power grid. Even though this might be a not-so-recent piece of...

read more

Nice Mod for Accessing a Tesla

Mattia Dal Ben, a community member of hackady.io, recently shared details of his interesting modification for accessing his Tesla car. The modification allows him to access his Tesla Model 3 car with his classic, old-school retro Casio watch. However, the road to...

read more
Facebooktwitterredditlinkedinmail