RansomHub Ransomware Attack on Nikpol

Nikpol, an Australian company specializing in hardware, decorative surfaces, and appliances for the renovation, RV, and building industries, has reportedly been targeted by the RansomHub ransomware group. On September 18, 2024, RansomHub listed the company on its darknet leak site, providing only a brief description and setting a seven-day deadline for payment, though no specific ransom amount was disclosed.

About Nikpol

Established in 1978 by Nick and Poly Nikolakakis, Nikpol has grown from a modest two-person operation into a significant player in the market, employing over 140 staff across three locations in Australia. The company is known for its high-quality materials and innovative design, often collaborating with leading European manufacturers such as Grass, Egger, Motivi, Renolit, and Metakor. Nikpol's commitment to sustainability and environmentally friendly practices further distinguishes it in the industry.

Attack Overview

The attackers claim to have exfiltrated internal documents, including annual financial budgets, bank account details, company credit card information, and tax residency declarations. Contracts with several other Australian organizations, such as a Melbourne-based immigration law firm, are also allegedly among the compromised data. Additionally, a significant amount of employee information appears to have been breached, including annual PAYG statements containing home addresses, tax file numbers, salaries, superannuation payments, and salary sacrifice arrangements. In some cases, details of employees' child support payments have been exposed. Nikpol has yet to comment on the alleged ransomware attack.

About RansomHub

RansomHub, a Ransomware-as-a-Service (RaaS) group, first appeared in February 2024. It quickly carved a place in the ransomware landscape by adopting a highly adaptable and aggressive affiliate model. Its primary aim is financial gain, achieved through a combination of double extortion—encrypting victims' data and exfiltrating sensitive information for additional leverage in ransom demands. The group is known for its speed and efficiency, targeting large enterprises with valuable data and critical operations.

Penetration Methods

RansomHub affiliates primarily use phishing campaigns, vulnerability exploitation (particularly unpatched systems like Citrix ADC and FortiOS), and password spraying. The group has also leveraged zero-day vulnerabilities. By exploiting these vulnerabilities, RansomHub built an agile and formidable operation, making it a formidable threat to organizations worldwide.

Sources

• Nikpol - About Us
• Dun & Bradstreet - Nikpol Pty Ltd
• IBISWorld - Nikpol Pty Ltd
• Craft - Nikpol
• Seek - Nikpol