Back to Intelligence

NOVA Ransomware Gang: Aggressive Campaign Targeting Logistics & Public Sector — Firewall & RDP Exploitation Surge

SA
Security Arsenal Team
June 27, 2026
6 min read

Date: 2026-06-27 Analyst: Security Arsenal Threat Intelligence Unit Source: Ransomware.live / Dark Web Leak Site OSINT

Threat Actor Profile — NOVA

  • Aliases: None confirmed (independent operator).
  • Operational Model: Aggressive RaaS-style operations; high-frequency posting suggests an automated leak site infrastructure and affiliate-driven model.
  • Ransom Demands: Variable; historically averages $500k - $2M USD depending on victim revenue.
  • Initial Access Vectors: NOVA affiliates aggressively exploit internet-facing infrastructure. Recent intelligence confirms the use of CVE-2024-1708 (ConnectWise ScreenConnect), CVE-2026-50751 (Check Point Security Gateway), and CVE-2026-20131 (Cisco Secure Firewall FMC). Valid credentials obtained via phishing for RDP/VPN access remain a secondary vector.
  • Extortion Strategy: Classic double extortion. Data is exfiltrated prior to encryption; victims are posted to the NOVA .onion site if negotiations fail or deadlines are missed.
  • Dwell Time: Short to moderate (3-7 days). The group moves rapidly from initial access to data staging, likely indicating the use of automated tooling for reconnaissance and exfiltration.

Current Campaign Analysis

Campaign Overview

NOVA has posted 16 victims in the last 100 postings, with a distinct acceleration in activity between June 20-26, 2026. The campaign exhibits a "spray and pray" approach regarding geography but specific intent regarding industry verticals.

Targeted Sectors

  • Primary: Transportation/Logistics (37% of recent victims - e.g., vslmarine, transvill, FTL-Fast Transit Line).
  • Secondary: Public Sector (NSW Rural Fire Service), Technology (CloudQuantum, Lockers IT), and Manufacturing (Dosab).

Geographic Concentration

The campaign is globally dispersed but shows hotspots in:

  • Asia-Pacific (APAC): Australia (AU), India (IN), Vietnam (VN).
  • South America: Peru (PE), Colombia (CO), Argentina (AR).
  • Europe: Belgium (BE), Portugal (PT), Denmark (DK - Healthcare).

Victim Profile

Targets range from mid-market logistics firms to critical public sector entities (e.g., NSW Rural Fire Service). The targeting of NSW Rural Fire Service represents a dangerous escalation into critical infrastructure/life-safety sectors.

CVE Connection

The overlap between NOVA victims and the CISA KEV list is strong. The inclusion of CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) suggests NOVA affiliates are specifically targeting perimeter security appliances to bypass firewall controls and gain initial access to internal networks.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential NOVA Ransomware Initial Access - ScreenConnect Exploit
id: 5e7c5a1a-1a1a-4a1a-1a1a-1a1a1a1a1a1a
description: Detects suspicious command line arguments associated with CVE-2024-1708 exploitation in ConnectWise ScreenConnect processes.
status: experimental
date: 2026/06/27
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains: 'ScreenConnect.ClientService.exe'
        CommandLine|contains:
            - 'Configuration.aspx'
            - 'Host='
            - 'EventName=Logon'
    condition: selection
falsepositives:
    - Legitimate administrative use of ScreenConnect
level: critical
---
title: Suspicious Lateral Movement - WMI Command Execution
id: 8b8b8b8b-8b8b-8b8b-8b8b-8b8b8b8b8b8b
description: Detects remote process execution via WMI, a common technique used by ransomware gangs like NOVA for lateral movement.
status: experimental
date: 2026/06/27
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\wmiprvse.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\rundll32.exe'
    condition: selection
falsepositives:
    - Legitimate system administration
level: high
---
title: Large Scale File Encryption Indicator
id: 9c9c9c9c-9c9c-9c9c-9c9c-9c9c9c9c9c9c
description: Detects bulk modification of file extensions or rapid file creation/deletion patterns indicative of ransomware encryption.
status: experimental
date: 2026/06/27
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4663
        ObjectType: 'File'
        AccessMask: '0x10080' # Write_Data and Delete access
    timeframe: 1m
    condition: selection | count() > 50
falsepositives:
    - Bulk file operations by IT tools
level: critical

KQL (Microsoft Sentinel)

Hunt for lateral movement and staging indicators associated with NOVA toolsets.

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Look for processes spawning from wmiprvse.exe (WMI Lateral Movement)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
// Filter for common LOLBins used in ransomware attacks
| where FileName in~ ("powershell.exe", "cmd.exe", "rundll32.exe", "regsvr32.exe")
// Check for encoded commands often used to evade detection
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "FromBase64String"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| extend HostName = split(DeviceName, ".")[0]
| order by Timestamp desc

PowerShell Response Script

Rapid response script to enumerate suspicious scheduled tasks created in the last 7 days, a common persistence mechanism for NOVA.

PowerShell
# NOVA Ransomware Persistence Check
# Run as Administrator

$DateCutoff = (Get-Date).AddDays(-7)
Write-Host "[+] Checking for Scheduled Tasks created/modified in the last 7 days..." -ForegroundColor Cyan

Get-ScheduledTask | ForEach-Object {
    $Task = $_
    $TaskInfo = $Task | Get-ScheduledTaskInfo
    
    if ($TaskInfo.LastRunTime -gt $DateCutoff -or $Task.Date -gt $DateCutoff) {
        $Action = $Task.Actions.Execute
        if ($Action) {
            Write-Host "[!] Suspicious Task Found:" -ForegroundColor Red
            Write-Host "    Name: $($Task.TaskName)" -ForegroundColor Yellow
            Write-Host "    Action: $Action" -ForegroundColor Yellow
            Write-Host "    Author: $($Task.Author)" -ForegroundColor Yellow
            Write-Host "    Last Modified: $($Task.Date)" -ForegroundColor Yellow
            Write-Host "----------------------------------------"
        }
    }
}
Write-Host "[+] Scan Complete." -ForegroundColor Green


---

Incident Response Priorities

  1. T-minus Detection Checklist:

    • Hunt for Web shells on IIS servers (Check Point/ScreenConnect exploit artifacts).
    • Review VPN and RDP logs for successful logins from unusual geolocations (specifically check for IPs originating from IN, VN, AR hitting global HQs).
    • Look for large volumes of data egress ( > 1GB) to non-corporate IPs occurring outside business hours.

  2. Critical Assets Prioritized for Exfiltration:

    • Based on NOVA victimology (Logistics/Public Sector), prioritize the protection of: Dispatch databases, employee PII, financial ledgers (AP/AR), and CAD/Blueprint repositories.

  3. Containment Actions (Order by Urgency):

    • Immediately: Isolate systems identified as running vulnerable versions of ConnectWise ScreenConnect or affected Check Point/Cisco appliances.
    • High: Disable local administrator accounts on endpoints and enforce RDP restrictions (Network Level Authentication).
    • Medium: Revoke and reset credentials for service accounts associated with the discovered Scheduled Tasks.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Management: Apply patches for CVE-2024-1708 (ScreenConnect), CVE-2026-50751 (Check Point), and CVE-2026-20131 (Cisco FMC) immediately. These are active KEVs being used for initial access.
  • Access Control: Enforce MFA on all VPN, RDP, and remote management interfaces. Block internet access to management ports (SSH/HTTPS/4433) for firewall and security appliances from untrusted IPs.

Short-term (2 Weeks)

  • Network Segmentation: Implement strict micro-segmentation to limit lateral movement from the DMZ or user subnets to critical logistics and database servers.
  • EDR Coverage: Ensure full EDR coverage on all internet-facing assets and critical database servers. Configure detection rules for "Mass Encryption" and "Suspicious WMI Execution".

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangnovanova-ransomwaretransportation-sectorcve-2024-1708ransomware-intelcisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action