Back to Intelligence

NOVA Ransomware: Critical Infrastructure & Logistics Targeted — Live Campaign Analysis & Countermeasures

SA
Security Arsenal Team
June 26, 2026
8 min read

Intelligence Briefing Date: 2026-06-26
Analyst: Security Arsenal Threat Intel Unit
Source: Ransomware.live / Dark Web Leak Sites

Threat Actor Profile — NOVA

NOVA is a rapidly evolving ransomware-as-a-service (RaaS) operation that has transitioned from a closed-group model to a more aggressive affiliate-based structure. Observed since late 2025, the group distinguishes itself through a focus on "time-critical" targets—sectors where downtime translates to immediate physical or financial peril.

  • Known Aliases: None confirmed (appears to be a rebrand or new independent operation).
  • Ransom Model: Double extortion (encryption + data theft). Demands range from $500k to $5m, typically calculated based on victim revenue and downtime criticality.
  • Initial Access: Heavily reliant on exploiting edge perimeter vulnerabilities, specifically VPN concentrators and firewall management interfaces. The group has also leveraged phishing campaigns delivering malicious macros to gain a foothold when perimeter exploits fail.
  • Dwell Time: Short. NOVA affiliates typically move laterally and detonate payloads within 3–5 days of initial access to minimize defender response windows.

Current Campaign Analysis

Based on the last 100 postings (16 recent victims analyzed), NOVA is executing a highly coordinated campaign targeting supply chain and public safety entities.

Sector Targeting

The victimology shows a distinct pivot toward Transportation/Logistics and Public Sector.

  • High Priority Targets:
    • NSW Rural Fire Service (AU): A critical public safety entity, indicating a willingness to target emergency services.
    • Logistics Cluster: vslmarine (IN), transvill (PE), FTL-Fast Transit Line (BE). This suggests an attempt to disrupt global and regional supply chains.

Geographic Concentration

While NOVA is globally dispersed, there is a significant concentration in the Asia-Pacific (APAC) and South American regions (AU, IN, PE, VN). This implies affiliates may be tailoring language packs or negotiation tactics to these specific locales or exploiting time-zone gaps in SOC response.

CVE Correlation & Initial Access Vectors

Intelligence correlates the recent surge in victims with the active exploitation of the following CISA KEV-listed vulnerabilities:

  1. CVE-2026-50751 (Check Point Security Gateway): This improper authentication vulnerability in IKEv1 is likely the primary vector for the APAC and logistics victims. Many logistics firms rely on legacy VPN configurations (IKEv1) for compatibility with older shipping scanners and industrial IoT devices.
  2. CVE-2026-20131 (Cisco Secure Firewall FMC): Exploitation allows attackers to bypass authentication and modify firewall policies, effectively disabling defenses before lateral movement begins.
  3. CVE-2024-1708 (ConnectWise ScreenConnect): Used for persistent access. NOVA actors frequently patch the vulnerability themselves to maintain exclusive access while backdooring the service.

Escalation Patterns

The posting frequency (4 victims on 2026-06-26) indicates an "automation push" where affiliates are encrypting batches of victims simultaneously. The jump from Business Services (lpgroup.pt) to Critical Infrastructure (NSW Rural Fire Service) suggests a severity escalation in targeting.

Detection Engineering

The following detection logic is derived from NOVA's observed TTPs: Edge perimeter exploitation, ScreenConnect abuse, and rapid data staging prior to encryption.

YAML
---
title: Potential NOVA Ransomware Check Point IKEv1 Exploitation
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: |
  Detects potential exploitation of CVE-2026-50751 involving IKEv1 key exchange anomalies 
  followed by administrative shell access or unusual process execution on the gateway.
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/26
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026.50751
logsource:
  product: checkpoint
  service: vpn
detection:
  selection:
    IKEVersion|contains: 'IKEv1'
    Action|contains: 'key_exchange'
  filter_legit:
    SrcIpIn:
      - '10.0.0.0/8'
      - '192.168.0.0/16'
      - '172.16.0.0/12'
  condition: selection and not filter_legit
falsepositives:
  - Legacy VPN clients from trusted partners
level: high
---
title: ScreenConnect Path Traversal Exploitation (CVE-2024-1708)
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: |
  Detects web request patterns associated with the exploitation of ScreenConnect path traversal 
  vulnerabilities often used by NOVA for persistent access.
references:
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/26
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2024.1708
logsource:
  product: web server
  service: iis, apache, nginx
detection:
  selection_uri:
    cs-uri-query|contains:
      - '..\'
      - '%2e%2e%5c'
      - 'App_Extensions'
  selection_ua:
    cs-user-agent|contains: 'ScreenConnect'
  condition: all of selection_*
falsepositives:
  - ScreenConnect administrative misconfigurations (rare)
level: critical
---
title: NOVA Pattern Rapid Data Staging with Rclone or WinRAR
id: b1c2d3e4-f5a6-b7c8-d9e0-f1a2b3c4d5e6
status: experimental
description: |
  NOVA actors frequently use WinRAR or Rclone for rapid data exfiltration/staging 
  immediately prior to encryption. This rule detects the archiving of large 
  volumes of data to hidden folders or external drives.
references:
  - Internal Threat Intel Analysis
author: Security Arsenal Research
date: 2026/06/26
tags:
  - attack.collection
  - attack.exfiltration
  - attack.t1560
logsource:
  category: process_creation
  product: windows
detection:
  selection_tools:
    Image|endswith:
      - '\rclone.exe'
      - '\WinRAR.exe'
      - '\rar.exe'
  selection_flags:
    CommandLine|contains:
      - 'sync '
      - 'copy '
      - 'a -r' # WinRAR recursive add
  selection_dest:
    CommandLine|contains:
      - '/dev/null' # Common in script blocks
      - 'C:\\Temp\\'
      - 'D:\$RECYCLE.BIN'
      - '\\192.168.' # Internal IP exfil
  condition: all of selection_*
falsepositives:
  - Legitimate system backups
level: high

KQL (Microsoft Sentinel)

Hunt for lateral movement indicators associated with NOVA's use of Cobalt Strike and native tools for discovery.

KQL — Microsoft Sentinel / Defender
// NOVA Ransomware Lateral Movement Hunt
// Looks for PsExec/WMI execution combined with network connections to non-standard ports
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ('psexec.exe', 'psexec64.exe', 'wmic.exe', 'powershell.exe')
| where ProcessCommandLine has_any ('-accepteula', 'process call create', 'Invoke-Command')
| join kind=inner (DeviceNetworkEvents
    | where Timestamp > ago(TimeFrame)
    | where RemotePort in (445, 135, 5985, 4444) // 4444 common Cobalt Strike
) on DeviceId, InitiatingProcessGuid
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteIP, RemotePort, RemoteUrl
| summarize count() by DeviceName, FileName, RemoteIP
| order by count_ desc

PowerShell Rapid Response

Use this script on endpoints to identify indicators of NOVA pre-encryption activity (scheduled task manipulation and shadow copy destruction).

PowerShell
<#
.SYNOPSIS
    NOVA Ransomware Indicator Hunter
.DESCRIPTION
    Checks for recently created scheduled tasks (common NOVA persistence) 
    and attempts to detect vssadmin deletion commands.
#>

Write-Host "[+] Hunting for NOVA Indicators..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in last 7 days
$suspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.Date -gt (Get-Date).AddDays(-7) -and 
    $_.Author -notmatch 'Microsoft' -and 
    $_.TaskName -notmatch 'GoogleUpdate|Adobe|UpdateTask'
}

if ($suspiciousTasks) {
    Write-Host "[ALERT] Found recently created tasks potentially used for persistence:" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, Author, Date, Action | Format-List
} else {
    Write-Host "[INFO] No suspicious recent scheduled tasks found." -ForegroundColor Green
}

# 2. Check Event Logs for Shadow Copy Deletion attempts
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
              Where-Object { $_.Message -match 'vssadmin.exe' -and $_.Message -match 'delete shadows' }

if ($vssEvents) {
    Write-Host "[ALERT] Shadow Copy Deletion Activity Detected:" -ForegroundColor Red
    $vssEvents | Select-Object TimeCreated, Message | Format-List
} else {
    Write-Host "[INFO] No Shadow Copy deletion events found in the last 24h." -ForegroundColor Green
}


---

Incident Response Priorities

NOVA moves fast. If IOCs are found, assume detonation is imminent or has already occurred.

T-Minus Detection Checklist

  1. VPN Audit: Immediately review Check Point VPN logs for successful IKEv1 connections from foreign IPs correlating to the CVE-2026-50751 signature.
  2. RMM Hygiene: Audit ConnectWise ScreenConnect logs for path traversal attempts or logins from unusual geo-locations. Force-reset all MFA for RMM accounts.
  3. Process Monitoring: Hunt for rclone.exe or 7z.exe running under svchost.exe or explorer.exe parent processes.

Critical Assets at Risk

Based on victim profiling, NOVA prioritizes exfiltration of:

  • Logistics Databases: Manifests, shipment tracking data, and customer PII.
  • Public Sector Records: Emergency response logs, CAD data, and resident databases.
  • Financials: payroll and tax files (W-2/TFN).

Containment Actions (Order of Urgency)

  1. Isolate: Disconnect identified compromised hosts from the network immediately; do not shutdown (preserve RAM artifacts for forensics if possible).
  2. Block VPN: Block all non-corporate IP ranges at the firewall and temporarily disable IKEv1 in favor of IKEv2 where supported.
  3. Suspend Access: Suspend service accounts associated with Check Point and Cisco FMC management.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical Perimeter: Apply patches for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) immediately. If patching is not possible, enforce strict Geo-IP blocking on VPN interfaces and disable IKEv1.
  • ScreenConnect Hardening: Update ScreenConnect to the latest patched version. Enforce Multi-Factor Authentication (MFA) for all internal and external access.
  • User Awareness: Alert logistics and public sector teams to the heightened phishing risk.

Short-term (2 Weeks)

  • Network Segmentation: Implement strict Zero Trust segmentation for Logistics and OT networks. Ensure VPN users only have access to the specific resources required, not full network visibility.
  • EDR Expansion: Deploy EDR agents to all VPN concentrators and jump servers to detect process execution on these critical perimeter devices.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangnovanova-ransomwaretransportation-logisticspublic-sectorcheck-point-vpnscreenconnect

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action