Hunters International Claims 761.8GB Exfiltrated in Nikki-Universal Ransomware Attack

Nikki-Universal Co. Ltd., a leading chemical manufacturer, has confirmed that it had suffered a ransomware attack by Hunters International group, Cybersecurity News reports.

The attack, which occurred on December 22, involved the encryption of some server data and the alleged exfiltration of 761.8 GB of files, including 476,342 documents. Hunters International has set a ransom deadline of January 10, 2025, threatening to leak the stolen data if their demands are not met.

Nikki-Universal’s swift acknowledgment and investigation of the incident reflect the urgency of addressing the growing cybersecurity threats businesses face. Double and triple extortion tactics, like encrypting data and threatening to release sensitive information, highlight the evolving methods attackers employ.

The incident occurs amidst a global rise in ransomware cases, with India reporting a 55% increase in such attacks in 2024, signaling an alarming trend.  

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, Hunters International, a ransomware-as-a-service (RaaS) group, emerged in October 2023, following the takedown of the Hive ransomware group by law enforcement earlier that year.  

Leveraging Hive's advanced infrastructure, the group has built a sophisticated platform that combines data exfiltration and double extortion tactics, evolving its methods to enhance efficiency and pressure on victims.

The group’s latest variant embeds the decryption key within encrypted files, a shift from earlier practices of storing keys separately. This streamlined approach aligns with common ransomware techniques, simplifying decryption while maintaining leverage over victims.  

Initially casting a wide net, Hunters International has refined its targeting to focus on sectors with high ransom potential, including healthcare, financial services, and critical infrastructure—industries where rapid recovery and sensitive data handling often compel victims to pay.

Hunters International gains initial access through phishing emails, social engineering, supply chain attacks, and exploiting Remote Desktop Protocol (RDP). They use tools like Mimikatz for credential harvesting, SoftPerfect network scanner to identify targets, and PsExec for lateral movement. To ensure persistence, they create domain accounts and deploy measures like deleting shadow copies to prevent system restoration.

In mid-2024, the group introduced a new Remote Access Trojan (RAT) named SharpRhino, written in C#. Delivered via typosquatting domains mimicking legitimate tools like Angry IP Scanner, SharpRhino provides attackers with remote access and persistence.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.