New Breed of Ransomware Threatens to Expose Victoria’s Secrets

The “Nefilim” ransomware threatens to leak sensitive data if the demands are not met.

A series of ransomware attacks over the past week affected medical care, hundreds of thousands of parcel deliveries during the pandemic — and even a lingerie manufacturer. Attackers are threatening to leak sensitive data if companies fail to make the required payments.

ITNews reported that the Australian logistics giant Toll Group suffered its second ransomware attack so far this year, with a type of ransomware known as “Nefilim.”

Toll Group had shut down its IT system after detecting “unusual activities.” The company — responsible for delivering many hundreds of thousands of parcels per day — confirmed that the Neflim ransomware attack was unrelated to the one experienced earlier this year.

Toll Group is taking a hard line, assuring the media it wouldn’t pay the ransom, as with the first attack suffered in early 2020. It’s moving to manual processes to get the system moving again.

Threat to expose ‘secret’ information 

Sky News reported Beyonce and Victoria’s Secret Sri Lanka-based lingerie maker, MAS Holdings was also attacked, with the latest information indicating the attempted extortion is also from Nefilim.

The criminal group claims to have stolen 300GB of private files and posted some of the allegedly stolen documents online as evidence.

Sky News reported the hackers could potentially seek to exploit the breach to target the company’s commercial partners. MAS Holdings declined to comment on whether it had alerted its partners or if any of their data had been affected. In an email the company said:

“MAS is constantly reviewing its security posture and threat actors do attempt to penetrate our network at times. We also adopt best practices in line with industry standards in managing such threats.”

And on April 29 Cointelegraph reported a ransomware attack that targeted the Parkview Medical Center in Colorado, which rendered the technical infrastructure that kept patient information inoperable.

Growing trend for ransomware

Speaking with Cointelegraph, Brett Callow, threat analyst at Emsisoft, gave additional details regarding the attack:

“Exfiltrating data providers the cybercrime groups with additional leverage to extort payment and also add them with additional monetization options. Should the company not pay, the stolen data can be sold, traded, or for spear phishing attacks on other organizations. In fact, the actors may do that whether or not the company pays.”

According to Callow, the analysis revealed that there is clear evidence that data stolen in these attacks has been sold to the targeted company’s competitors, sold and traded on the dark web, used to spear-phish, and used for identity theft.

Cybercriminals leaked data as evidence of the attack

Cybercriminals claimed that they obtained 300 GB of private files from MAS Holdings, and as evidence, they had already published some stolen documents online.

Callow believes that such type of ransomware is showing a “growing trend” within the cybercrime world:

“The first group to steal and publish data was Maze at the end of last year. Since then, multiple other groups have adopted the same strategy, so it’s a strategy which obviously works. In one case, the Maze group asked for $2 million: $1 million to decrypt the data plus an additional $1 million to destroy the stolen copy. The amount of the demand will vary from victim to victim, and from case to case.”

However, Emsisoft revealed a considerable decline in the successful ransomware attacks, at least in the United States, during Q1 2020.