NOVA Ransomware: Critical Infrastructure Surge — Check Point & Cisco Exploits Detected

Date: 2026-06-25 Analyst: Principal Security Engineer, Security Arsenal Source: Ransomware.live / Dark Web Leak Site telemetry

Threat Actor Profile — NOVA

Aliases & Affiliation: While historically quiet, NOVA has emerged as a prolific RaaS (Ransomware-as-a-Service) operator in 2026. While no direct overlap with legacy gangs (like LockBit or Conti) has been confirmed, their code structure shares lineage with the Rust-based encryptors prevalent in late 2025.

Operational Model: NOVA operates strictly as a RaaS. They recruit affiliates via Russian-language forums, offering a flexible revenue share model (typically 80/20). Recent data suggests they have aggressively onboarded affiliates specializing in perimeter exploitation rather than traditional phishing.

Tactics & Procedures:

• Initial Access: Heavily reliant on exploiting edge network appliances. Recent campaigns strongly correlate with CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC).
• Ransom Demands: Variable, ranging from $500k for mid-market logistics firms to $5M+ for healthcare targets. Payment is strictly demanded in Monero (XMR).
• Double Extortion: NOVA exfiltrates data prior to encryption. They utilize a custom exfiltration tool, "NovaLeak," which uploads stolen archives via MEGA and anonymous FTP servers.
• Dwell Time: Estimated 3–5 days. The posting frequency (1–2 victims daily) suggests a high-speed automation pipeline for data theft and encryption.

Current Campaign Analysis

Targeted Sectors: NOVA has pivoted sharply toward Transportation/Logistics and Technology. Victims like transvill, FTL-Fast Transit Line, and Lockers IT indicate a deliberate focus on supply chain and service continuity targets. Healthcare (MIT HJERTE) and Manufacturing (Dosab) remain secondary targets of opportunity.

Geographic Concentration: The campaign shows a distinct clustering in South America (Peru, Argentina) and Europe (Portugal, Denmark), with isolated hits in Vietnam and Saudi Arabia. This suggests the affiliate group is likely operating in a time zone compatible with CET or LATAM, or specifically exploiting regional misconfigurations in Check Point/Cisco appliances common in these regions.

Victim Profile: Targets are primarily mid-to-large enterprises ($50M - $500M revenue range). The inclusion of lpgroup.pt and alejandria.biz indicates NOVA targets holding companies and business service providers to gain access to broader downstream networks.

Escalation Patterns: Posting frequency has increased to ~2 victims per day over the last 72 hours. This escalation correlates directly with the mass-exploitation period following the addition of CVE-2026-50751 to the CISA KEV list on 2026-06-08.

CVE Connection: There is a high-confidence correlation between the recent victim surge and the exploitation of:

1. CVE-2026-50751 (Check Point Security Gateway): Primary vector for the Logistics victims (e.g., transvill.com.pe).
2. CVE-2026-20131 (Cisco FMC): Likely used against Technology and Business Service sectors managing hybrid cloud environments.

Detection Engineering

Sigma Rules

---
title: Potential Check Point Gateway IKEv1 Exploitation (CVE-2026-50751)
id: 123e4567-e89b-12d3-a456-426614174000
description: Detects potential exploitation attempts of CVE-2026-50751 involving abnormal IKEv1 packet floods or authentication bypass attempts on Check Point Security Gateways.
status: experimental
author: Security Arsenal
date: 2026/06/25
tags:
  - attack.initial_access
  - cve.2026.50751
logsource:
  product: firewall
  service: check_point
detection:
  selection:
    product: 'VPN-1 & FireWall-1'
    action: 'accept' or 'drop'
    protocol: 'ike'
    ike_version: 'v1'
  filter_legit_traffic:
    src_ip:
      - '192.168.0.0/16'
      - '10.0.0.0/8'
      - '172.16.0.0/12'
  condition: selection and not filter_legit_traffic | count() > 100
falsepositives:
  - Legitimate high-volume VPN re-keying storms
level: high
---
title: Cisco FMC Deserialization Exploit Attempt (CVE-2026-20131)
id: 987e6543-e21b-43d3-a456-426614174999
description: Detects suspicious HTTP requests targeting Cisco FMC indicating potential deserialization attacks.
status: experimental
author: Security Arsenal
references:
  - https://cisa.gov/known-exploited-vulnerabilities-catalog
date: 2026/06/25
tags:
  - attack.initial_access
  - cve.2026.20131
logsource:
  product: cisco
  service: fmc
detection:
  selection_uri:
    c-uri|contains: '/api/fmc_config/v1/domain/'
  selection_method:
    c-method: 'POST'
  selection_payload:
    cs-bytes|gt: 1000
  condition: selection_uri and selection_method and selection_payload
falsepositives:
  - Legitimate bulk configuration changes via API
level: critical
---
title: NOVA Ransomware Lateral Movement Indicators
id: abcdef12-3456-7890-abcd-ef1234567890
description: Detects patterns of lateral movement commonly observed in NOVA ransomware attacks, specifically the use of PsExec and WMI for deployment.
status: experimental
author: Security Arsenal
date: 2026/06/25
tags:
  - attack.lateral_movement
  - attack.execution
logsource:
  product: windows
  service: security
detection:
  selection_psexec:
    EventID: 5145
    ShareName: '\\*\IPC$'
    RelativeTargetName|endswith: 'PSEXESVC'
  selection_wmi:
    EventID: 4688
    NewProcessName|contains:
      - 'wmiprvse.exe'
      - 'svchost.exe'
    CommandLine|contains:
      - 'process call create'
      - 'Invoke-WmiMethod'
  condition: 1 of selection_*
falsepositives:
  - Administrative troubleshooting
level: high

KQL (Microsoft Sentinel)

// Hunt for NOVA Ransomware Pre-Encryption Staging
// Looks for rapid mass file encryption and VSS shadow deletion attempts
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("vssadmin", "wbadmin", "bcdedit")
| where ProcessCommandLine has_any ("delete", "shadowcopy", "quiet")
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell Response Script

<#
.SYNOPSIS
    NOVA Ransomware Hardening & Audit Script
.DESCRIPTION
    Checks for signs of NOVA activity (RDP brute force, new scheduled tasks) 
    and applies immediate hardening to perimeter vulnerabilities.
#>

# Audit Scheduled Tasks created in last 7 days (Common persistence)
Write-Host "[+] Auditing Scheduled Tasks created in last 7 days..."
Get-ScheduledTask | Where-Object {
    $_.Date -gt (Get-Date).AddDays(-7)
} | Select-Object TaskName, TaskPath, Date, Author | Format-Table -AutoSize

# Check for suspicious RDP logs (Brute Force)
Write-Host "[+] Checking for RDP Brute Force signs (Event ID 4625)..."
$rdpFailures = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 100 -ErrorAction SilentlyContinue
if ($rdpFailures) {
    $rdpFailures | Group-Object -Property Message | Where-Object {$_.Count -gt 5} | Select-Object Count, Name
}

# Check for Check Point VPN service status (CVE-2026-50751)
Write-Host "[+] Checking Check Point VPN Service Status..."
$cpService = Get-Service -Name "VPNT" -ErrorAction SilentlyContinue
if ($cpService) {
    Write-Host "Check Point Service Status: $($cpService.Status)"
} else {
    Write-Host "Check Point Service not found on this host."
}

# System Hardening: Disable RDP if not required (Safety commented out - remove # to execute)
# Write-Host "[!] Disabling RDP..."
# Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -Value 1


---

Incident Response Priorities

T-Minus Detection Checklist:

1. Perimeter Logs: Immediately review Check Point and Cisco FMC logs for spikes in IKEv1 requests or anomalous API POSTs to /api/fmc_config.
2. ScreenConnect Audit: Verify if CVE-2024-1708 (ConnectWise) was used as a secondary entry point. Look for unexpected Web.config modifications on ScreenConnect servers.
3. RMM Tools: Hunt for illegitimate use of RMM tools (ScreenConnect, AnyDesk, Supremo) spawned by svchost.exe or explorer.exe.

Critical Assets for Exfiltration: NOVA affiliates prioritize exfiltrating Operational Technology (OT) schedules (for Logistics) and HR/Payroll databases (for Business Services). Encryptors specifically target SQL Server .mdf and .ldf files.

Containment Actions (Ordered by Urgency):

1. Isolate VPN Concentrators: Disconnect Check Point and Cisco management interfaces from the internet immediately if patching is not confirmed.
2. Disable Remote Access: Temporarily disable RDP and ScreenConnect services across the enterprise until credentials are reset.
3. Revoke Keys: Rotate all API keys used for Cisco FMC and Check Point management immediately.

Hardening Recommendations

Immediate (24 Hours):

• Patch CVE-2026-50751: Apply the latest Check Point Hotfix. If patching is delayed, disable IKEv1 globally and enforce strict IKEv2-only policies.
• Patch CVE-2026-20131: Update Cisco Secure Firewall Management Center to the patched version immediately.
• MFA Enforcement: Enforce phishing-resistant MFA on all VPN and management plane interfaces.

Short-Term (2 Weeks):

• Network Segmentation: Isolate OT/Logistics networks from corporate IT domains. NOVA uses lateral movement to jump from IT to OT.
• Zero Trust Architecture: Implement local firewall rules (GPO) to block PsExec (TCP 445/SMB) and WMI usage from endpoints to servers unless explicitly authorized.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub