Back to Intelligence

NOVA Ransomware Gang: 16 New Victims Posted — Transport & Public Sector Surge

SA
Security Arsenal Team
June 27, 2026
7 min read

Date: 2026-06-27 Source: Ransomware.live Dark Web Leak Site Monitor Analyst: Security Arsenal Intelligence Unit

Threat Actor Profile — NOVA

Aliases & Affiliation: NOVA operates as a Ransomware-as-a-Service (RaaS) entity, likely linked to former core developers of defunct groups (speculatively connected to the Void crypter family). They market themselves on Russian-speaking forums as a "enterprise-grade" encryption solution.

Operational Model:

  • Model: RaaS with an affiliate network. The core team develops the encryptor and manages the leak site; affiliates handle initial access and execution.
  • Ransom Demands: Historically ranges from $500,000 to $5 million USD, varying strictly based on victim revenue and perceived data value.
  • Attack Vector Shift: While historically reliant on phishing and QakBot initial loaders, recent intelligence indicates a heavy pivot toward perimeter network device exploitation (VPN/Firewall vulnerabilities) for initial access.
  • Double Extortion: Strict adherence to double extortion. Data is exfiltrated prior to encryption. If ransom is not paid, sensitive data is published on their .onion portal.
  • Dwell Time: Average dwell time is approximately 5–9 days. NOVA affiliates typically spend 3-4 days performing reconnaissance and lateral movement before triggering encryption.

Current Campaign Analysis

Sector Targeting: Analysis of the last 100 postings (16 recent victims) reveals a distinct pivot toward critical logistics and civic infrastructure:

  • Transportation & Logistics (31%): High activity against maritime (vslmarine) and land transit (FTL-Fast Transit Line, transvill). This suggests affiliates are targeting supply chain disruption.
  • Public Sector (19%): The targeting of NSW Rural Fire Service (AU) marks a dangerous escalation into emergency services.
  • Technology & Manufacturing (25%): Continued targeting of SaaS providers (CloudQuantum) and heavy industry (Dosab).

Geographic Concentration: NOVA has abandoned a focused regional approach for a global "spray and pray" via unpatched internet-facing infrastructure. Recent victims span Australia (AU), India (IN), Peru (PE), Argentina (AR), Portugal (PT), Colombia (CO), Belgium (BE), and Vietnam (VN).

Victim Profile: Victims are predominantly mid-market to large enterprises ($50M - $500M revenue range). The attack on NSW Rural Fire Service implies that even state-government entities with complex legacy perimeters are viable targets.

CVE Correlation & Initial Access: The temporal correlation between victim postings and the appearance of specific CISA KEV entries is high.

  • CVE-2026-50751 (Check Point Security Gateway): Likely used for the Australian and European victims (common firewall vendor in these regions).
  • CVE-2026-20131 (Cisco Secure Firewall FMC): A probable vector for the corporate victims (CloudQuantum, Lockers IT).
  • CVE-2024-1708 (ConnectWise): Remains a prevalent vector for the MSP/Business Services targets (lpgroup.pt, Hosab).

Escalation Patterns: The group is posting 2-3 victims per day, indicating a mature, automated victim-processing pipeline. The speed of posting suggests negotiations are failing or victims are choosing to rebuild rather than pay.

Detection Engineering

Sigma Rules (Triple-Block)

YAML
title: Potential NOVA Ransomware Lateral Movement via PsExec
id: 1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
description: Detects potential lateral movement activity often used by NOVA affiliates using PsExec or similar remote admin tools.
status: experimental
author: Security Arsenal
date: 2026/06/27
tags:
  - attack.execution
  - attack.lateral_movement
  - ransomware
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\psexec.exe'
      - '\psexec64.exe'
    CommandLine|contains:
      - '\\*\admin$'
      - '-accepteula'
  condition: selection
falsepositives:
  - Legitimate administrative activity
level: high
---
title: Suspicious Data Staging via Archival Tools
id: 2b3c4d5e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
description: Detects the mass archiving of files, a common precursor to exfiltration in NOVA double-extortion attacks.
status: experimental
author: Security Arsenal
date: 2026/06/27
tags:
  - attack.exfiltration
  - attack.collection
  - ransomware
logsource:
  category: process_creation
  product: windows
detection:
  selection_archive:
    Image|endswith:
      - '\winrar.exe'
      - '\7z.exe'
      - '\tar.exe'
  selection_params:
    CommandLine|contains:
      - '-m0'
      - '-m5'
      - '-hp'  
  condition: all of selection_*
falsepositives:
  - Legitimate system backups
level: medium
---
title: Suspicious IKEv1 VPN Authentication (Check Point Gateway)
id: 3c4d5e6f-7a8b-6c9d-0e1f-2a3b4c5d6e7f
description: Detects suspicious IKEv1 key exchange anomalies associated with CVE-2026-50751 exploitation on Check Point gateways.
status: experimental
author: Security Arsenal
date: 2026/06/27
tags:
  - cve-2026-50751
  - attack.initial_access
  - network
logsource:
  product: checkpoint
  service: vpn
detection:
  selection:
    IKE_version: 'v1'
    IKE_phase: 'Main Mode'
    Auth_Method: 'pre-shared-key' 
    Result: 'failure'
  filter:
    SrcIpRange:
      - '10.0.0.0/8'
      - '192.168.0.0/16'
  timeframe: 1m
  condition: selection | count() > 5
falsepositives:
  - Misconfigured VPN clients
level: critical


**KQL (Microsoft Sentinel) - Lateral Movement Hunt**
kql
DeviceProcessEvents  
| where Timestamp >= ago(7d)  
| where FileName in~ ("powershell.exe", "cmd.exe", "wmic.exe", "psexec.exe")  
| where ProcessCommandLine has_any ("New-Object", "Net.WSMan", "Invoke-Command", "remote", "\\\\")  
| where InitiatingProcessFileName !in~ ("explorer.exe", "services.exe")  
| summarize count(), arg_min(Timestamp, *) by DeviceName, AccountName, FileName  
| where count_ > 10


**PowerShell - Rapid Response Hardening Script**
powershell
<#
.SYNOPSIS
    NOVA Ransomware Rapid Response Audit
.DESCRIPTION
    Checks for signs of NOVA persistence, scheduled task anomalies, and VSS tampering.
#>

Write-Host "[+] Starting NOVA Ransomware Persistence Hunt..." -ForegroundColor Cyan

# 1. Check for suspicious scheduled tasks created in last 7 days
Write-Host "[*] Checking for recently created Scheduled Tasks (Last 7 Days)..." -ForegroundColor Yellow
$recentTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($recentTasks) {
    Write-Host "[ALERT] Found recent scheduled tasks:" -ForegroundColor Red
    $recentTasks | Select-Object TaskName, TaskPath, Date
} else {
    Write-Host "[OK] No suspicious recent scheduled tasks found." -ForegroundColor Green
}

# 2. Audit Volume Shadow Copy Service (VSS) Writers
Write-Host "[*] Checking VSS Writer State (Encryption/Ransomware often breaks these)..." -ForegroundColor Yellow
$vssState = vssadmin list writers
if ($vssState -like "*error*") {
    Write-Host "[ALERT] VSS Writer errors detected. Possible tampering." -ForegroundColor Red
} else {
    Write-Host "[OK] VSS Writers appear healthy." -ForegroundColor Green
}

# 3. Check for RDP connections (NOVA often uses RDP for lateral movement)
Write-Host "[*] Checking for recent active RDP sessions..." -ForegroundColor Yellow
$rdpUsers = query user
if ($rdpUsers) {
    Write-Host "[INFO] Current Active Sessions:" -ForegroundColor Cyan
    $rdpUsers
}

Write-Host "[+] Hunt Complete." -ForegroundColor Cyan


---

Incident Response Priorities

Based on NOVA's specific playbook, IR teams should prioritize the following T-minus actions:

  1. T-minus Checklists (Pre-Encryption):

    • Vulnerability Scan: Immediately scan perimeter for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC).
    • Log Audit: Check VPN logs for mass authentication failures or successful logins from anomalous geographies (specifically IN, VN, AR).
    • Process Hunt: Hunt for powershell.exe spawning rclone.exe or winscp.exe (data exfil tools).

  2. Critical Assets for Exfiltration: NOVA affiliates prioritize high-value data first:

    • Employee PII/HR Databases (used for subsequent phishing).
    • Customer Financial Records (logistics/billing ledgers).
    • Intellectual Property (manufacturing blueprints/tech source code).

  3. Containment Actions (Ordered by Urgency):

    • Phase 1: Disconnect Check Point and Cisco management interfaces from the internet if not patched.
    • Phase 2: Isolate systems identified with the suspicious scheduled tasks found in the script above.
    • Phase 3: Revoke all VPN credentials that have been active in the last 30 days; force MFA re-enrollment.

Hardening Recommendations

Immediate (24 Hours):

  • Patch Perimeter: Apply the hotfix for CVE-2026-50751 immediately. This is the primary driver of their current campaign.
  • Block RDP: Block inbound RDP from the internet and enforce VPN-only access for RDP.
  • MFA: Enable hardware-token based MFA for all VPN and firewall admin access. (NOVA affiliates are known to bypass SMS MFA).

Short-term (2 Weeks):

  • Network Segmentation: Enforce strict segmentation between IT and OT networks, specifically for Transportation/Logistics victims.
  • EDR Deployment: Ensure EDR coverage on 100% of endpoints, specifically focusing on file server detection capabilities.
  • Remote Monitoring: Implement 24/7 monitoring for vssadmin.exe deletion commands, which NOVA uses to disable shadow copies before encryption.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangnovaransomwaretransportationpublic-sectorcheck-pointcisco-fmc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action