Right after just recovering from a ransomware attack in January, Toll Group has been the target of another ransomware attack. 

What happened?

Toll got hit by a fairly fresh ransomware, Nefilim. Most of the online customer software has been taken offline and employees are working from their personal computers as they are unable to gain access to the company’s devices. It is suspected that the method of entry was through exposed RDP (remote desktop protocol) or virtual desktop endpoints. 

What is Nefilim?

Nefilim started propagating by the end of February 2020 and it has been discovered that it is an upgraded version of Nemty 2.5 ransomware. However, Nefilim is not classified as a RaaS (Ransomware-as-a-Service). It is dependent on email communications for ransom payments instead of Tor sites. It is assumed that its mode of propagation is through RDP, similar to Nemty, SAMSAM, and Crysis. 

To be noted

Threat actors behind this attack are not utterly reliant on Nefilim, indicating that they may have exfiltrated the firm's data for extortion before launching a full-fledged ransomware attack. 


The first attack suffered by Toll was due to a recent malware, named Mailto. This attack was devastating on the group since a large chunk of their IT infrastructure was compromised. 

In essence

Toll stated that they have taken measures to mitigate the impact and are conducting a detailed investigation to gauge the impact. Corporate VPN and Active Directory applications have been compromised and taken offline.

Cyware Publisher