Toll had to shut down servers in early February because of a different unspecified “cyber incident.” It is unknown at this time whether the two incidents are related or not. Given that Toll has been so open and public about this current incident and that they are not engaging with Nefilim’s ransom demands, it is possible that Nefilim will not wait much longer before posting any stolen data to their “Corporate Leaks” site. When dealing with ransomware attacks two of the most important aspects are the speed with which the victim is able to shut down and segregate affected devices to keep it from spreading across the network, and the infrastructure in place for recovery. Endpoint Detection and Response (EDR) is the most important tool for detecting attacks quickly and responding effectively to isolate infected computers, but it only provides value if a security operations center is monitoring alerts 24 hours a day, every day to respond at the first signs of attack. When putting backups in place for recovery it is important not only to make backups at regular intervals but also to utilize the 3-2-1 rule. Have at least three copies of your data, store the copies on at least two different devices, and keep at least one copy offsite. More information on this incident can be found at https://www.fullyloaded.com.au/industry-news/2005/toll-concedes-company-data-stolen-in-cyber-attack