After detecting unusual activity on its systems, Toll Group, owned by Japan-based Post Holdings, confirmed a cyber attack involving ransomware ‘Nefilim’.
Although it has not impacted deliveries, the shutdown prevented customers from tracking their parcels online.
Our ongoing investigations have established that the attacker has accessed at least one specific corporate server. This server contains information relating to some past and present Toll employees, and details of commercial agreements with some of our current and former enterprise customers. The server in question is not designed as a repository for customer operational data.
After detecting attack, the company shut down its IT systems to mitigate the risk of further infection. It also rejected ransomware demands.
At this stage, we have determined that the attacker has downloaded some data stored on the corporate server, and we are in the process of identifying the specific nature of that information.
The attacker will probably publish stolen data to the ‘dark web’. This means that information is not readily accessible through conventional online platforms, Toll explained.
Currenty, the company is working with the Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP). It expects there will be several weeks before determining more details.
This follows another cyber attack to the company in early February, involving the MailTo ransomware, also known as NetWalker. Unlike Nefilim ransomware that could take months before executing the final attack, NetWalker starts the encryption process instantly.