Threat Actor Profile — NOVA
Aliases & Structure: NOVA operates as a Ransomware-as-a-Service (RaaS) entity with a decentralized affiliate network. Recent postings indicate a shift toward aggressive "big game hunting" alongside high-volume targeting of mid-market logistics entities.
Modus Operandi:
- Initial Access: NOVA affiliates demonstrate a high proficiency in exploiting network perimeter vulnerabilities. The current campaign heavily leverages CVE-2026-50751 (Check Point Security Gateway) and CVE-2026-20131 (Cisco Secure Firewall FMC) to bypass border defenses.
- Double Extortion: The group exfiltrates sensitive data prior to encryption. Victim leak sites indicate a retention period of 3-5 days before data is published if ransom is not met.
- Dwell Time: Intelligence suggests an average dwell time of 3-7 days, utilized for lateral movement and credential dumping before detonation.
Current Campaign Analysis
Sector Targeting: The latest batch of 16 victims reveals a distinct pivot toward Transportation/Logistics (vslmarine, transvill, FTL-Fast Transit Line) and Public Sector entities (NSW Rural Fire Service). This suggests affiliates are targeting critical infrastructure and logistics chains to maximize operational pressure for ransom payment.
Geographic Concentration: NOVA is operating globally with no singular regional focus. Recent victims span Australia (AU), India (IN), Peru (PE), Argentina (AR), Portugal (PT), Colombia (CO), Belgium (BE), and Vietnam (VN). This dispersion suggests a "spray and pray" vulnerability scanning approach followed by manual exploitation.
CVE & Attack Vector Correlation: The inclusion of CVE-2026-50751 (Check Point IKEv1) and CVE-2026-20131 (Cisco FMC) in the CISA KEV list directly correlates with NOVA's recent victimology. Organizations relying on VPN concentrators and firewall management interfaces without MFA or strict network segmentation are primary targets. The exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) also indicates continued use of remote management software as a secondary entry point.
Detection Engineering
SIGMA Rules
---
title: Potential NOVA Ransomware Check Point IKEv1 Exploit
id: d6a3b1c8-9f2a-4b5c-8e1d-2f3a4b5c6d7e
description: Detects potential exploitation of CVE-2026-50751 involving IKEv1 authentication bypass attempts on Check Point Security Gateways.
status: experimental
date: 2026/06/28
author: Security Arsenal Research
logsource:
product: firewall
definition: Check Point Security Gateway logs
detection:
selection:
product: 'Check Point'
service: 'ike'
action: 'key_exchange'
ike_version: '1'
filter:
src_ip|startswith:
- '10.'
- '192.168.'
condition: selection and not filter
falsepositives:
- Legitimate IKEv1 VPN connections from internal networks
level: high
---
title: Suspicious Cisco FMC Process Execution
id: e7b4c2d9-0a3b-5c6d-9f2e-3a4b5c6d7e8f
description: Detects exploitation attempts of CVE-2026-20131 via suspicious process execution related to Cisco FMC deserialization vulnerabilities.
status: experimental
date: 2026/06/28
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: cisco
service: fmc
detection:
selection:
process|contains:
- 'sh'
- 'bash'
- 'python'
parent_process|contains: 'java'
condition: selection
falsepositives:
- Administrative troubleshooting via FMC CLI
level: critical
---
title: Ransomware Lateral Movement via PsExec
id: f8c5d3e0-1b4c-6d7e-0a3f-4b5c6d7e8f9a
description: Detects the use of PsExec for lateral movement, a common technique used by NOVA affiliates post-initial access.
status: experimental
date: 2026/06/28
author: Security Arsenal Research
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|contains: 'ADMIN$'
RelativeTargetName|contains: 'PSEXESVC'
condition: selection
falsepositives:
- Legitimate administrative software deployment
level: high
KQL (Microsoft Sentinel)
// Hunt for NOVA lateral movement and staging indicators
// Looks for unusual service installations and remote execution often seen in this campaign
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessVersionInfoOriginalFileName in ("psexec.exe", "psexesvc.exe", "wmic.exe") or
ProcessCommandLine contains @""
or ProcessCommandLine contains "-accepteula"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where FileName in (@"rar.exe", @"7z.exe", @"winzip.exe", @"vssadmin.exe", @"wbadmin.exe")
| project Timestamp, DeviceName, FileName, FolderPath
) on DeviceName
| summarize count() by DeviceName, bin(Timestamp, 10m)
| order by count_ desc
PowerShell Response Script
<#
.SYNOPSIS
NOVA Ransomware Hardening & Audit Script
.DESCRIPTION
Checks for signs of NOVA TTPs: recent scheduled tasks, RDP exposure,
and unusual service installations (PsExec).
#>
Write-Host "[+] Starting NOVA Gang Hardening Audit..." -ForegroundColor Cyan
# 1. Check for recent Scheduled Tasks (Persistence)
Write-Host "\n[*] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $DateCutoff} | Select-Object TaskName, Author, Date, State
# 2. Audit RDP Connections (Lateral Movement)
Write-Host "\n[*] Auditing recent RDP connections..." -ForegroundColor Yellow
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($Events) {
$Events | Where-Object {$_.Message -match 'Logon Type:\s*10'} | Select-Object TimeCreated, Id, Message | Format-List
} else {
Write-Host "No recent RDP events found or access denied."
}
# 3. Check for PsExec Service Artifacts
Write-Host "\n[*] Checking for PsExec service artifacts..." -ForegroundColor Yellow
$Service = Get-Service -Name "PSEXESVC" -ErrorAction SilentlyContinue
if ($Service) {
Write-Host "[!] ALERT: PSEXESVC found. Status: $($Service.Status)" -ForegroundColor Red
} else {
Write-Host "[+] No PSEXESVC detected."
}
# 4. Check Shadow Copy Status
Write-Host "\n[*] Checking Volume Shadow Copy Storage..." -ForegroundColor Yellow
vssadmin list shadows
Write-Host "\n[+] Audit Complete." -ForegroundColor Green
Incident Response Priorities
Based on NOVA's observed playbook, IR teams should execute the following T-minus actions immediately upon suspicion of compromise:
- Isolate VPN Concentrators: If Check Point or Cisco devices are in use, segment the management interfaces from the internal network immediately. Assume credentials stored on these devices are compromised.
- Terminate Remote Sessions: Kill all active RDP, ScreenConnect, and SSH sessions originating from external IPs.
- Hunt for Staging: Look for large ZIP/RAR archives created on file shares (common exfil staging for NOVA). Check for
vssadmin.exe delete shadowsexecution in EDR logs. - Credential Reset: Force a password reset for all service accounts and local administrators on endpoints within the compromised VLAN.
Hardening Recommendations
Immediate (24 Hours)
- Patch Critical CVEs: Apply patches for CVE-2026-50751 and CVE-2026-20131 immediately. If patching is delayed, disable IKEv1 on Check Point gateways and restrict FMC access to source IP allow-lists.
- MFA Enforcement: Enforce MFA on all VPN, RDP, and firewall management interfaces.
Short-term (2 Weeks)
- Network Segmentation: Implement Zero Trust segmentation to prevent lateral movement from the VPN network segment to the core domain controllers.
- EDR Deployment: Ensure EDR coverage extends to management interfaces and jump servers, not just end-user workstations.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.