Nikpol Hit by RansomHub Ransomware Exposing Sensitive Data
Incident Date:
September 18, 2024
Overview
Title
Nikpol Hit by RansomHub Ransomware Exposing Sensitive Data
Victim
Nikpol
Attacker
Ransomhub
Location
First Reported
September 18, 2024
RansomHub Ransomware Attack on Nikpol
Nikpol, an Australian company specializing in hardware, decorative surfaces, and appliances for the renovation, RV, and building industries, has reportedly been targeted by the RansomHub ransomware group. On September 18, 2024, RansomHub listed the company on its darknet leak site, providing only a brief description and setting a seven-day deadline for payment, though no specific ransom amount was disclosed.
About Nikpol
Established in 1978 by Nick and Poly Nikolakakis, Nikpol has grown from a modest two-person operation into a significant player in the market, employing over 140 staff across three locations in Australia. The company is known for its high-quality materials and innovative design, often collaborating with leading European manufacturers such as Grass, Egger, Motivi, Renolit, and Metakor. Nikpol's commitment to sustainability and environmentally friendly practices further distinguishes it in the industry.
Attack Overview
The attackers claim to have exfiltrated internal documents, including annual financial budgets, bank account details, company credit card information, and tax residency declarations. Contracts with several other Australian organizations, such as a Melbourne-based immigration law firm, are also allegedly among the compromised data. Additionally, a significant amount of employee information appears to have been breached, including annual PAYG statements containing home addresses, tax file numbers, salaries, superannuation payments, and salary sacrifice arrangements. In some cases, details of employees' child support payments have been exposed. Nikpol has yet to comment on the alleged ransomware attack.
About RansomHub
RansomHub, a Ransomware-as-a-Service (RaaS) group, first appeared in February 2024. It quickly carved a place in the ransomware landscape by adopting a highly adaptable and aggressive affiliate model. Its primary aim is financial gain, achieved through a combination of double extortion—encrypting victims' data and exfiltrating sensitive information for additional leverage in ransom demands. The group is known for its speed and efficiency, targeting large enterprises with valuable data and critical operations.
Penetration Methods
RansomHub affiliates primarily use phishing campaigns, vulnerability exploitation (particularly unpatched systems like Citrix ADC and FortiOS), and password spraying. The group has also leveraged zero-day vulnerabilities. By exploiting these vulnerabilities, RansomHub built an agile and formidable operation, making it a formidable threat to organizations worldwide.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.