Back to Intelligence

NOVA Ransomware Gang: 14 New Victims Posted — Sector Targeting Analysis & Detection Rules

SA
Security Arsenal Team
June 25, 2026
10 min read

Threat Actor Profile — NOVA

NOVA emerged in the ransomware ecosystem as a formidable threat actor specializing in multi-sector extortion operations. Based on recent intelligence, the group operates primarily as a Ransomware-as-a-Service (RaaS) platform, enabling affiliates to conduct attacks using their developed toolset while sharing profits.

The group doesn't appear to have widely recognized aliases, operating primarily under the NOVA designation across underground forums and leak sites. Ransom demands typically range from $500,000 to $5 million USD, influenced by victim size, revenue, and data sensitivity.

Initial access methods include exploitation of security vulnerabilities (particularly in VPN solutions, email servers, and remote access tools), phishing campaigns with malicious attachments, and supply chain compromises. Recent campaigns indicate a particular focus on exploiting vulnerabilities in Check Point Security Gateways, ConnectWise ScreenConnect, Microsoft Exchange Server, and Cisco Firewall Management Centers.

NOVA employs a sophisticated double extortion strategy, exfiltrating sensitive data before encrypting systems and threatening public release if ransom demands are not met. Their average dwell time before encryption ranges from 5 to 12 days, providing sufficient time for lateral movement, privilege escalation, and data staging.

Current Campaign Analysis

Based on dark web leak site data from the past week, NOVA has posted 14 new victims, showing a diverse targeting strategy across multiple sectors and geographies.

Targeted Sectors

  • Transportation/Logistics: 4 victims (28.6%) — including transvill, transvill.com.pe, FTL-Fast Transit Line
  • Technology: 2 victims (14.3%) — cloudquantum, Lockers IT
  • Business Services: 2 victims (14.3%) — lpgroup.pt, Hosab
  • Healthcare: 1 victim (7.1%) — MIT HJERTE
  • Manufacturing: 1 victim (7.1%) — Dosab
  • Consumer Services: 1 victim (7.1%) — One Believing Interiors
  • Not Found/Undetermined: 3 victims (21.4%)

Geographic Distribution

The campaign shows a broad geographic footprint:

  • Peru (PE): 2 victims
  • Argentina (AR): 1 victim
  • Portugal (PT): 1 victim
  • Vietnam (VN): 1 victim
  • Saudi Arabia (SA): 1 victim
  • Denmark (DK): 1 victim
  • Unknown Location: 7 victims

Victim Profile and Posting Patterns

Based on industry analysis, the victims appear to be primarily small to medium-sized enterprises with annual revenues ranging from $10 million to $500 million USD. The transportation sector appears to be a particular focus, representing nearly a third of all victims.

Posting patterns show consistent activity with notable spikes on June 20 (5 victims) and June 24 (5 victims), suggesting coordinated operations or multiple affiliates operating simultaneously.

CVE Connections and Initial Access Vectors

Analysis of the actively exploited CVEs associated with NOVA reveals clear connections to their initial access methods:

  • CVE-2026-50751 (Check Point Security Gateway): Likely exploited to gain initial access to organizations with exposed security gateways, particularly in the transportation and logistics sectors where network connectivity is critical.
  • CVE-2026-48027 (Nx Console): May have been used against technology victims (cloudquantum, Lockers IT) through malicious development tools.
  • CVE-2024-1708 (ConnectWise ScreenConnect): This remote access vulnerability explains how NOVA gained access to multiple victims across different sectors and geographies.
  • CVE-2023-21529 (Microsoft Exchange Server): Email server exploitation could provide initial access through phishing emails or direct exploitation.
  • CVE-2026-20131 (Cisco Secure Firewall Management Center): Could explain how NOVA bypassed perimeter defenses in multiple organizations.

Detection Engineering

SIGMA Rules

YAML
---
title: Check Point Security Gateway IKEv1 Key Exchange Exploitation Attempt
id: c0e77b86-3f7b-4e1d-9b7a-8d3e21f0a2b1
description: Detects potential exploitation of CVE-2026-50751 in Check Point Security Gateways
status: experimental
author: Security Arsenal
date: 2026/06/25
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: firewall
    definition: Check Point Security Gateway logs
detection:
    selection:
        event_type: 'IKE_SA'
        protocol: 'IKEv1'
        action: 'accept'
        payload|contains:
            - 'malformed_packet'
            - 'invalid_spi'
    condition: selection
falsepositives:
    - Misconfigured VPN clients
level: critical
---
title: ConnectWise ScreenConnect Path Traversal Exploitation Attempt
id: a1f88c97-4e8c-5f2e-0c8b-9e4f32g1b3c2
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect
status: experimental
author: Security Arsenal
date: 2026/06/25
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: webserver
    service: iis, apache, nginx
detection:
    selection:
        cs-uri-query|contains:
            - '..\\'
            - '%2e%2e%5c'
            - 'ScreenConnect'
        cs-method: 'GET'
    condition: selection
falsepositives:
    - Legitimate administrators accessing the service
level: high
---
title: Suspicious Lateral Movement via PsExec
id: b2g99d08-5f9d-6g3f-1d9c-0f5g43h2c4d3
description: Detects potential lateral movement using PsExec, commonly associated with ransomware
status: experimental
author: Security Arsenal
date: 2026/06/25
references:
    - https://attack.mitre.org/techniques/T1021/002/
tags:
    - attack.lateral_movement
    - attack.t1021
    - attack.execution
    - attack.t1569
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName: 'IPC$'
        RelativeTargetName|endswith: 'PSEXESVC'
    filter:
        SubjectUserName:
            - 'SYSTEM'
            - 'NETWORK SERVICE'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative activities
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and pre-ransomware staging
// Look for unusual administrative activities and file operations across multiple systems
let TimeFrame = 7d;
let AdminAccounts = datatable(Account:string)["admin", "administrator", "svc_admin"];
// Detection 1: Suspicious service creation across multiple hosts
SecurityEvent
| where TimeGenerated > ago(TimeFrame)
| where EventID in (4624, 4625, 5145, 7045)
| where SubjectUserName in (AdminAccounts) or Account in (AdminAccounts)
| summarize count() by Computer, EventID, Account
| where count_ > 10
| project Computer, EventID, Account, count_
// Detection 2: Unusual file access patterns suggesting data staging
SecurityEvent
| where TimeGenerated > ago(TimeFrame)
| where EventID == 5145
| where ShareName has "C$" or ShareName has "ADMIN$"
| where RelativeTargetName has @".zip" or RelativeTargetName has @".7z" or RelativeTargetName has @".rar"
| summarize count(), make_set(RelativeTargetName) by Computer, SubjectUserName, ShareName
| where count_ > 5
// Detection 3: Multiple failed logins suggesting credential stuffing
SigninLogs
| where TimeGenerated > ago(TimeFrame)
| where Result == "Failure"
| summarize count() by AppDisplayName, UserPrincipalName, Location
| where count_ > 3

PowerShell Response Script

PowerShell
# NOVA Ransomware Rapid Response Hardening Script
# Checks for exposed RDP and enumerates suspicious scheduled tasks added in the last 7 days

# Function to check for exposed RDP
function Check-RDPExposure {
    Write-Host "Checking for exposed RDP connections..." -ForegroundColor Yellow
    $rdpStatus = Get-WmiObject -Class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'" | Select-Object PortNumber, SettingID
    
    if ($rdpStatus) {
        Write-Host "RDP is enabled on port $($rdpStatus.PortNumber)" -ForegroundColor Red
        $recentConnections = Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" -MaxEvents 100 | 
                             Where-Object {$_.TimeCreated -gt (Get-Date).AddDays(-7)}
        
        if ($recentConnections) {
            Write-Host "Recent RDP connections in the last 7 days:" -ForegroundColor Yellow
            $recentConnections | Format-Table TimeCreated, Message -AutoSize
        } else {
            Write-Host "No recent RDP connections found in the last 7 days" -ForegroundColor Green
        }
        
        # Check if RDP is exposed to the internet
        $firewallRule = Get-NetFirewallRule -DisplayName "Remote Desktop*" | Where-Object {$_.Enabled -eq "True" -and $_.Direction -eq "Inbound"}
        if ($firewallRule) {
            Write-Host "RDP firewall rule(s) are enabled and may allow external access" -ForegroundColor Red
            $firewallRule | Select-Object DisplayName, Enabled, Direction, Profile | Format-Table -AutoSize
        }
    } else {
        Write-Host "RDP is not configured on this system" -ForegroundColor Green
    }
}

# Function to enumerate scheduled tasks added in the last 7 days
function Check-RecentScheduledTasks {
    Write-Host "`nChecking for scheduled tasks created/modified in the last 7 days..." -ForegroundColor Yellow
    $tasks = Get-ScheduledTask
    
    $recentTasks = foreach ($task in $tasks) {
        $taskInfo = Get-ScheduledTaskInfo -TaskName $task.TaskName -TaskPath $task.TaskPath -ErrorAction SilentlyContinue
        if ($taskInfo) {
            $createdDate = $taskInfo.Date
            if ($createdDate -gt (Get-Date).AddDays(-7)) {
                $task | Select-Object TaskName, TaskPath, State, @{Name="Created"; Expression={$createdDate}}
            }
        }
    }
    
    if ($recentTasks) {
        Write-Host "Found $($recentTasks.Count) tasks created/modified in the last 7 days:" -ForegroundColor Red
        $recentTasks | Format-Table -AutoSize
        
        # Get task details for suspicious tasks
        foreach ($task in $recentTasks) {
            $taskAction = Get-ScheduledTask -TaskName $task.TaskName -TaskPath $task.TaskPath -ErrorAction SilentlyContinue | 
                          Select-Object -ExpandProperty Actions
            
            if ($taskAction) {
                Write-Host "`nTask: $($task.TaskName)" -ForegroundColor Cyan
                $taskAction | ForEach-Object {
                    if ($_.Execute) {
                        Write-Host "  Executes: $($_.Execute) $($_.Arguments)" -ForegroundColor Yellow
                    }
                }
            }
        }
    } else {
        Write-Host "No scheduled tasks created/modified in the last 7 days" -ForegroundColor Green
    }
}

# Function to check for recently modified Volume Shadow Copies
function Check-ShadowCopies {
    Write-Host "`nChecking for recently modified Volume Shadow Copies..." -ForegroundColor Yellow
    try {
        $shadowCopies = Get-WmiObject Win32_ShadowCopy | 
                       Where-Object {$_.InstallDate -gt (Get-Date).AddDays(-7)}
        
        if ($shadowCopies) {
            Write-Host "Found $($shadowCopies.Count) shadow copies created in the last 7 days:" -ForegroundColor Yellow
            $shadowCopies | Format-Table DeviceObject, VolumeName, InstallDate -AutoSize
        } else {
            Write-Host "No shadow copies created in the last 7 days" -ForegroundColor Green
        }
    } catch {
        Write-Host "Error checking shadow copies: $_" -ForegroundColor Red
    }
}

# Main execution
Write-Host "NOVA Ransomware Rapid Response Hardening Script" -ForegroundColor Magenta
Write-Host "=============================================`n" -ForegroundColor Magenta

Check-RDPExposure
Check-RecentScheduledTasks
Check-ShadowCopies

Write-Host "`nScript completed. Review results above for potential indicators of compromise." -ForegroundColor Cyan

Incident Response Priorities

T-minus Detection Checklist

  • Monitor for exploitation attempts against the CVEs mentioned (particularly CVE-2026-50751 and CVE-2024-1708)
  • Analyze authentication logs for suspicious VPN/RDP connections, especially from unexpected geographical locations
  • Monitor for unusual process execution patterns, particularly command-line tools used for system reconnaissance
  • Check for file system changes indicating potential ransomware precursors (e.g., large file deletions, mass file renaming)
  • Review network traffic for anomalous data transfer volumes, particularly during non-business hours
  • Examine Windows Event Logs for evidence of new service installations or scheduled task creation
  • Monitor for unusual PowerShell activity, especially encoded commands or base64 strings

Critical Assets Historically Prioritized for Exfiltration

  • Customer databases containing personally identifiable information (PII)
  • Financial records, transaction logs, and payment processing systems
  • Intellectual property, trade secrets, and proprietary algorithms
  • Logistics and operational data (particularly for transportation sector victims)
  • Healthcare records and patient information (for healthcare sector victims)
  • Internal documentation, executive communications, and strategic plans
  • Authentication credentials and system access configurations

Containment Actions Ordered by Urgency

  1. Immediate isolation of affected systems from the network to prevent further encryption or exfiltration
  2. Temporarily disable VPN and remote access services while forensic analysis is conducted
  3. Reset credentials for all privileged accounts, especially domain admin and service accounts
  4. Patch all CVEs mentioned in this briefing, prioritizing internet-facing systems
  5. Implement network segmentation to limit lateral movement capabilities
  6. Conduct forensic analysis of affected systems to determine the extent of compromise
  7. Restore critical systems from verified clean backups after ensuring the threat is eradicated
  8. Notify legal counsel and consider reporting to appropriate regulatory authorities if data was exfiltrated

Hardening Recommendations

Immediate (24h)

  • Patch all CVEs mentioned in this briefing, prioritizing CVE-2026-50751 (Check Point Security Gateway) and CVE-2024-1708 (ConnectWise ScreenConnect)
  • Disable VPN/RDP access where not strictly necessary or implement additional authentication layers
  • Implement multi-factor authentication (MFA) for all remote access and privileged accounts
  • Review and immediately restrict privileged account access to essential personnel only
  • Implement network-level monitoring for unusual authentication attempts and data transfers
  • Update all endpoint security signatures and ensure full coverage across the organization

Short-term (2 weeks)

  • Implement network segmentation to limit lateral movement capabilities within the environment
  • Deploy endpoint detection and response (EDR) solutions across all systems with centralized monitoring
  • Conduct a comprehensive security assessment of all external-facing systems and services
  • Implement application allowlisting to restrict execution of unauthorized software
  • Establish a robust backup and recovery plan with regular offline, immutable backups
  • Conduct security awareness training focused on identifying phishing attempts and social engineering
  • Review and update incident response procedures specific to ransomware scenarios
  • Implement user behavior analytics (UBA) to detect anomalous activities that may indicate compromise

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangnovanova-ransomwaretransportation-logisticstechnology-sectorcve-exploitationdouble-extortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action