{
	"id": "b332a347-5f1e-4fba-9130-fb18dda4983a",
	"created_at": "2026-04-06T00:11:59.879093Z",
	"updated_at": "2026-04-10T03:20:05.630579Z",
	"deleted_at": null,
	"sha1_hash": "a993100b9e920b7d369061229dace8da3aee0856",
	"title": "Toll Group hit by ransomware a second time, deliveries affected",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1280027,
	"plain_text": "Toll Group hit by ransomware a second time, deliveries affected\r\nBy Lawrence Abrams\r\nPublished: 2020-05-05 · Archived: 2026-04-05 14:04:55 UTC\r\nThe Toll Group has suffered its second ransomware cyberattack in three months, with the latest one conducted by the\r\noperators of the Nefilim Ransomware.\r\nToll Group is Asia Pacific's leading provider of trans portion and logistics services, employing roughly 44,000 people at\r\n1,200 locations in more than 50 countries.\r\nOn February 5th, 2020, Toll Group announced that they had suffered a cyberattack by a new ransomware variant called\r\nMailto that required them to shut down their network to prevent more devices from being encrypted.\r\nhttps://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second-time-deliveries-affected/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second-time-deliveries-affected/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThis action led to some disruptions in their customer-facing applications.\r\nA second attack by the Nefilim ransomware\r\nIn an announcement today, Toll Group states that they have suffered another attack that has caused them to shut down their\r\nsystems again. This time the cyberattack was conducted by the operators of the Nefilim Ransomware.\r\n\"Toll took the precautionary step yesterday of shutting down certain IT systems after we detected unusual activity on some\r\nof our servers.\r\nAs a result of investigations undertaken so far, we can confirm that this activity is the result of a ransomware attack.\r\nWorking with IT security experts, we have identified the variant to be a relatively new form of ransomware known\r\nas Nefilim. This is unrelated to the ransomware incident we experienced earlier this year. Toll has no intention of engaging\r\nwith any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our\r\nnetwork. We are in regular contact with the Australian Cyber Security Centre (ACSC) on the progress of the incident.\"\r\nThe Nefilim Ransomware is a relatively new Ransomware-as-a-Service operation created by the developer of the Nemty\r\nRansomware and a private group of malware distributors.\r\nThis group has been actively looking for threat actors experienced in spamming and gaining access to remote networked\r\ncomputers to launch network-wide corporate attacks.\r\nWhile the Toll Group states that there is no evidence of any data being stolen, Nefilim is known for stealing unencrypted\r\nfiles and using it as leverage to get victims to pay the ransom.\r\nThis further extortion tactic is done through a \"Leaks\" site that they have created where they threaten to release stolen data if\r\na victim does not pay.\r\nAs pointed out by security researcher Troy Mursch of Bad Packets Report, the Toll Group was utilizing a vulnerable Ctrix\r\nADC Netscaler server in the first attack and continued to do so during the latest one.\r\nShut down impacting deliveries\r\nIn a tweet posted by Toll Group, they state that they have had to shut down their \"MyToll\" shipping portal customer site as\r\npart of their defense against the ransomware attack.\r\nhttps://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second-time-deliveries-affected/\r\nPage 3 of 5\n\nIn reply to the tweet, customers have stated that their deliveries have been impacted as without MyToll they are unable to\r\nredirect shipments to another collection center.\r\nBleepingComputer has contacted the Toll Group with questions related to the attack but has not heard back as of yet.\r\nUpdate 5/6/20: Included information about Citrix ADC Netscaler device \r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second-time-deliveries-affected/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second-time-deliveries-affected/\r\nhttps://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second-time-deliveries-affected/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second-time-deliveries-affected/"
	],
	"report_names": [
		"toll-group-hit-by-ransomware-a-second-time-deliveries-affected"
	],
	"threat_actors": [],
	"ts_created_at": 1775434319,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a993100b9e920b7d369061229dace8da3aee0856.pdf",
		"text": "https://archive.orkl.eu/a993100b9e920b7d369061229dace8da3aee0856.txt",
		"img": "https://archive.orkl.eu/a993100b9e920b7d369061229dace8da3aee0856.jpg"
	}
}