Back to Intelligence

NOVA Ransomware Gang: Global Logistics & Public Sector Assault — CVE-2026-50751 Exploitation Detected

SA
Security Arsenal Team
June 26, 2026
6 min read

The NOVA ransomware operation has escalated activity in late June 2026, posting 16 new victims within a short window. The group demonstrates a distinct bias toward the Transportation/Logistics and Public sectors, targeting entities across Australia, India, South America, and Europe. Intelligence suggests NOVA is actively exploiting critical perimeter vulnerabilities, specifically CVE-2026-50751 (Check Point Security Gateway) and CVE-2024-1708 (ConnectWise ScreenConnect), to gain initial access.

Threat Actor Profile — NOVA

  • Aliases: None confirmed (currently operating under NOVA moniker).
  • Operational Model: Ransomware-as-a-Service (RaaS) with indications of an affiliate-driven model given the geographic dispersion and sector variance.
  • Ransom Demands: Typically ranging from $500k to $5m USD, depending on victim revenue.
  • Initial Access Vectors: Heavy reliance on external remote services (VPN gateways) and remote management software (ScreenConnect). Recent data strongly correlates victim compromises with unpatched perimeter appliances.
  • Tactics: Double extortion. NOVA exfiltrates sensitive data (PII, operational manifests, blueprints) prior to encryption.
  • Dwell Time: Short. Observations suggest a dwell time of 3–7 days between initial breach and encryption/deployment.

Current Campaign Analysis

Sector Targeting

NOVA has displayed a clear preference for critical infrastructure and logistics:

  • Transportation/Logistics: High frequency of hits (e.g., vslmarine, transvill, FTL-Fast Transit Line). This sector is targeted for operational disruption and high willingness to pay to restore supply chains.
  • Public Sector: NSW Rural Fire Service (AU) and MIT HJERTE (DK - Healthcare) indicate a willingness to target emergency services, likely due to legacy VPN infrastructure.
  • Technology/Business Services: (cloudquantum, lpgroup.pt) utilized as potential supply chain jump hosts.

Geographic Concentration

The campaign is highly globalized with no single regional focus, suggesting a "spray and pray" vulnerability scanning approach:

  • APAC: Australia, India, Vietnam
  • LATAM: Peru, Colombia, Argentina
  • Europe: Belgium, Portugal, Denmark

Victim Profile

Primarily mid-to-large enterprises. The inclusion of NSW Rural Fire Service implies capacity to hit large government networks, while logistics firms like vslmarine suggest targeting of mid-market logistics providers with potentially weaker IT security postures.

CVE Correlation

The timing of victim postings aligns with the addition of CVE-2026-50751 to the CISA KEV list (June 8, 2026). It is highly probable that NOVA affiliates are weaponizing the Check Point IKEv1 authentication bypass to bypass VPN MFA and establish footholds. Furthermore, CVE-2024-1708 (ScreenConnect) remains a favored vector for quick lateral movement in the Technology and Business Services victims.

Detection Engineering

The following detection logic is designed to identify NOVA's primary initial access vectors and lateral movement stages.

YAML
---
title: Potential NOVA Ransomware Check Point IKEv1 Exploit (CVE-2026-50751)
id: 7a3b9c12-d4e6-4f8a-9c1a-2b3d4e5f6789
status: experimental
description: Detects potential exploitation of Check Point Security Gateway improper authentication vulnerability via IKEv1 anomalies often associated with NOVA initial access.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/27
logsource:
    product: checkpoint
    service: vpn
detection:
    selection:
        message|contains:
            - 'ike'
            - 'key_exchange'
        action: 'decrypt' # or specific failure modes
    filter_legit:
        src_ip|cidr:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
            - '172.16.0.0/12'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate misconfigured VPN clients from internal ranges
level: critical
---
title: ConnectWise ScreenConnect Path Traversal Exploit (CVE-2024-1708)
id: 8b4c0d23-e5f7-5g9b-0d2b-3c4e5f6a7890
status: experimental
description: Detects web shell-like activity or path traversal attempts on ScreenConnect servers, a known vector for NOVA affiliates.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/27
logsource:
    product: web server
    service: iis
    definition: 'Requirements: Codecs for IIS logs or ScreenConnect specific logs'
detection:
    selection_uri:
        cs-uri-query|contains:
            - '..%2f'
            - '..%5c'
            - 'App_Web'
    selection_extension:
        cs-uri-stem|endswith:
            - '.aspx'
            - '.ashx'
    condition: all of selection_*
falsepositives:
    - Scanning activity (should still be investigated)
level: high
---
title: Suspicious PsExec Execution Lateral Movement
id: 9c5d1e34-f6g8-6h0c-1e3c-4d5f6a7b8901
status: experimental
description: Detects the usage of PsExec for lateral movement, frequently observed by NOVA prior to encryption.
author: Security Arsenal Research
date: 2026/06/27
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|contains: 'psexec.exe'
        CommandLine|contains:
            - '-accepteula'
            - '\\*'
    condition: selection
falsepositives:
    - Administrative IT tasks
level: medium


kql
// KQL Hunt for NOVA Pre-Encryption Staging
// Hunts for rapid file renames (potential encryption prep) and mass VSS deletion attempts
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ((FileName in~ ("vssadmin.exe", "wmic.exe") and ProcessCommandLine has "delete") and 
     (ProcessCommandLine has "shadow" or ProcessCommandLine has "snapshot"))
    or (InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe") and 
        ProcessCommandLine has "icacls" and ProcessCommandLine has "/grant")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


powershell
# Rapid Response: Audit Recent Shadow Copy Manipulation
# NOVA actors often delete Shadow Copies to prevent recovery before encryption.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-ShadowCopy/Operational'; ID=14} -ErrorAction SilentlyContinue | 
Where-Object {$_.TimeCreated -gt (Get-Date).AddDays(-1)} | 
Select-Object TimeCreated, Id, Message | 
Format-Table -AutoSize

if ($?) { Write-Host "[INFO] No critical VSS deletion events found in the last 24 hours." -ForegroundColor Green }
else { Write-Host "[ALERT] Potential VSS tampering detected. Investigate immediately." -ForegroundColor Red }


# Incident Response Priorities

T-Minus Detection Checklist

  1. Check Point Logs: Review VPN logs for IKEv1 failures or unexpected successful authentications from foreign IPs (CVE-2026-50751).
  2. ScreenConnect Audit: Identify any new admin users or scheduled tasks created within the ScreenConnect management portal.
  3. RDP Brute Force: Look for spikes in failed RDP attempts, often used as a fallback if VPN exploits fail.

Critical Assets for Exfil

Based on NOVA's victimology, prioritize the search for exfil indicators on:

  • Operational Databases (Logistics manifests, dispatch systems)
  • HR & Employee Records (Common in Public Sector hits)
  • Financial Systems (Billing/invoicing)

Containment Actions

  1. Isolate: Immediately disconnect systems identified as running Check Point Security Gateways with unpatched CVE-2026-50751 from the internet if patching cannot be instantaneous.
  2. Block: Block inbound traffic to ScreenConnect web interfaces from unknown IP ranges at the perimeter firewall.
  3. Suspend: Suspend active service accounts for privileged users (Domain Admins) until forensic validation of their workstations is complete.

Hardening Recommendations

Immediate (24h)

  • Patch: Apply the hotfix for CVE-2026-50751 on all Check Point Security Gateways immediately.
  • Disable: If unable to patch ScreenConnect immediately, disable the web interface temporarily and enforce strict allow-listing for management IPs.
  • MFA: Enforce hardware-token MFA for all VPN and remote access solutions; push-notification MFA is being bypassed by NOVA via session hijacking.

Short-term (2 weeks)

  • Network Segmentation: Implement strict micro-segmentation for Transportation/Logistics OT networks to prevent lateral movement from the IT zone.
  • EPM Deployment: Deploy Endpoint Privilege Management to block the execution of tools like PsExec and Mimikatz without explicit approval.
  • Vault Hardening: Rotate all credentials stored in password managers accessed by the NOVA-affected business units.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangnovaransomwarecve-2026-50751transportationpublic-sectorinitial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action