Toll Group - Nefilim Ransomware

Just three months after the first ransomware attack, Toll Group was hit again—this time by the more sophisticated Nefilim ransomware variant that not only encrypted systems but also stole and threatened to publish sensitive data.

What Happened

On 4 May 2020, Toll Group detected a second major ransomware attack, this time using the Nefilim variant. Unlike the February attack which used Mailto ransomware, Nefilim employed double extortion tactics: encrypting data while also stealing sensitive information to threaten public release if ransom demands weren't met.

The attackers claimed to have exfiltrated large volumes of data including employee personal information (names, dates of birth, driver licence and passport details), customer business records, and operational data. Toll again shut down IT systems to contain the breach and engaged the Australian Cyber Security Centre.

Impact on Individuals

The data theft component of this attack created more serious risks than the February incident. Employees faced potential identity theft from exposed driver licences and passports. Customers' sensitive business information and supply chain data was potentially compromised. The threat of public data release added extortion pressure beyond simple system recovery.

Organisational Response

Toll once again refused to pay the ransom and focused on system recovery and data protection. CEO Thomas Knudsen acknowledged the company had been targeted twice in quick succession, raising questions about the company's security posture. Toll accelerated cybersecurity improvements and engaged additional external specialists. The dual attacks became a case study in the persistent targeting of critical logistics infrastructure.