The “Nefilim” ransomware threatens to leak data of Victoria’s Secret if the demands are not met. Attackers are threatening if the company fails to make the required payments.
However, Toll Group had shut down its IT system after detecting “unusual activities.” The company responsible for delivering many hundreds of thousands of parcels per day confirmed that the Nefilim ransomware attack was unrelated to the one experienced earlier this year.
It has been analyzed that Toll Group is taking a hard line by assuring the media that it would not pay the ransom, as with the first attack suffered in early 2020. It’s moving to manual processes to get the system moving again.
Likewise, it has also been reported by Sky News that Beyonce and Victoria’s Secret Sri Lanka-based lingerie maker, MAS Holdings was also attacked, with the latest information indicating the attempted extortion is also from Nefilim.
As per the report, the criminal group claims to have stolen 300GB of private files and posted some of the allegedly stolen documents online as evidence.
Sky News reported that hackers could potentially seek to exploit the breach to target the company’s commercial partners.
MAS Holdings declined to comment on whether it had alerted its partners or if any of their data had been affected.
The company said:
“MAS is constantly reviewing its security posture and threat actors do attempt to penetrate our network at times. We also adopt best practices in line with industry standards in managing such threats.”
Brett Callow, the Threat Analyst at Emsisoft, gave additional details regarding the attack:
“Exfiltrating data providers the cybercrime groups with additional leverage to extort payment and also add them with additional monetization options. Should the company not pay, the stolen data can be sold, traded, or for spear phishing attacks on other organizations. In fact, the actors may do that whether or not the company pays.”
Callow said that the analysis revealed that there is clear evidence that data stolen in these attacks has been sold to the targeted company’s competitors, sold and traded on the dark web, used to spear-phish, and used for identity theft.
However, cybercriminals stated that they obtained 300 GB of private files from MAS Holdings, and as evidence, they had already published some stolen documents online.
Similarly, Callow believes that such type of ransomware is showing a “growing trend” within the cybercrime world.
“The first group to steal and publish data was Maze at the end of last year. Since then, multiple other groups have adopted the same strategy, so it’s a strategy which obviously works. In one case, the Maze group asked for $2 million: $1 million to decrypt the data plus an additional $1 million to destroy the stolen copy. The amount of the demand will vary from victim to victim, and from case to case.”
Thus, ransomware attacks over the past week affected various industries during the pandemic.