Security researchers have discovered a trove of sensitive corporate data belonging to the Toll Group lurking on the dark web months after news broke that the logistics company had been hit by a ransomware attack.
The news came via Data Breach Today who found the trove of corporate data on the dark web lurking online after the second wide-sprawling ransomware attack on the Toll Group this year.
The hackers responsible posted to a site on the darkweb specifically for corporate leaks, and poked fun at the logistics company for its lack of robust security protocols to mitigate the risk of further cyber attacks.
“Toll Group failed to secure their network even after the first attack,” the anonymous poster commented. “We have more than 200GB of archives of their private data,” they added.
Thomas Knudsen, Toll’s managing director said the ransomware attacks were “serious and regrettable,” at a time where his company attempts to regain its reputation and secure its systems.
In February of this year, we reported that Toll’s deliveries were in limbo after the company was unable to process a number of its deliveries in the aftermath of its first ransomware attack. A Toll representative said that a “new variant of the Mailto ransomware” was responsible for crippling its network, and the company alerted federal authorities.
In early May, cyber criminals by the name of the ‘Neifilim gang’ struck Toll’s systems again, and threatened to publish the data it collected if an unspecified ransom wasn’t paid. Toll refused to pay hackers the ransom in both cases of ransomware attacks, which led the Neifilim gang to publish vast amounts of corporate data online.
A spokesperson from the Toll Group has confirmed the dark web data breach, stating that the company’s “ongoing investigation” has determined that the attacker “has now published to the dark web some of the information that was stolen,” as a result of the ransomware attack.
“As a result, we are now focussed on accessing and verifying the specific nature of the stolen data that has been published,” the company said. “As this assessment progresses, we will notify any impacted parties as a matter of priority and offer appropriate support,” Toll said.
According to reporting from Data Breach Today, “dumped data includes a list of supposedly stolen files from a ‘corporate finance’ directory with names that appear to refer to annual financial reports, cash flow statements, invoices for drug-screening and reports to the board of directors. Neifilim also released a 2GB ‘TOLLGROUP_leak_part1” archive containing alleged samples of stolen data.”
The company also confirmed that the server impacted by the ransomware attack contained “details of commercial agreements with some of our current and former enterprise customers.”
“We are now focussed on assessing and verifying the specific nature of the stolen data that has been published. As this assessment progresses, we will notify any impacted parties as a matter of priority and offer appropriate support.”
David Stubley, head of security testing company, 7 Elements has said that it’s essential to “identify and understand how the attack occurred, rather than just dealing with the outfall of the ransomware.”
“A smash-and-grab type of approach is where somebody has managed to get an end user to execute an executable that is the ransomware package in its own right, so they’ve opened up a tainted spreadsheet, and that causes the ransomware to instantly start encrypting files on the machine.”
“That’s different from some group that has used malware to gain an initial foothold on a network, where they’re not deploying the ransomware initially – they’re doing it at a later date… so the malware gives them remote control of an asset and then they deploy further tools, and one of those tools may eventually be ransomware.”
Brett Callow, a threat analyst with Emsisoft has said that “ransomware groups frequently leave behind backdoors to maintain post-attack access to the networks they have compromised, and this is one of the main reasons we recommend that companies completely rebuild their networks rather than simply decrypting their data.”
“These backdoors are typically ‘owned’ by affiliates, and those affiliates may change allegiance or sell or trade them with other groups,” he added.