Back to Intelligence

NOVA Ransomware Gang: Global Surge in Transportation & Tech Sectors — CVE-2026-50751 Exploitation

SA
Security Arsenal Team
June 25, 2026
5 min read

Aliases & Model NOVA operates as a Ransomware-as-a-Service (RaaS) entity with suspected origins in Eastern Europe. Unlike closed groups, they aggressively recruit affiliates via Russian-speaking forums. Affiliates retain 70-80% of ransom payments, incentivizing high-volume attacks.

TTPs & Playbook NOVA affiliates typically gain initial access via exposed VPN appliances (notably recent Check Point CVEs) and compromised credentials for RDP. They employ a double-extortion model, stealing sensitive data (blueprints, client databases) 48-72 hours before detonating encryption.

Ransom Demands & Dwell Time

  • Demands: Typically $500k – $3M USD, escalating based on revenue.
  • Dwell Time: Average 4–7 days. Recent victims indicate a shift toward faster "smash-and-grab" operations, reducing dwell time to under 3 days.

Current Campaign Analysis

Sectors Under Siege The latest campaign (June 20–26, 2026) shows a distinct pivot toward critical infrastructure adjacent sectors:

  • Transportation & Logistics: 3 victims (transvill, FTL-Fast Transit Line) indicating disruption of supply chains.
  • Technology: 3 victims (cloudquantum, Lockers IT), suggesting software supply chain targeting.
  • Healthcare: 1 victim (MIT HJERTE, Denmark), a high-value target for extortion.

Geographic Focus A significant concentration in Latin America (Peru, Argentina) and Asia-Pacific (Vietnam, Saudi Arabia). This suggests affiliates are regionally focused or utilizing localized language packs for phishing/credential harvesting.

CVE Exploitation Link There is a high-confidence correlation between NOVA's recent surge and the exploitation of CVE-2026-50751 (Check Point Security Gateway). Given the transportation targets (transvill, FTL) rely heavily on VPN infrastructure for fleet management, this CVE is likely the primary initial access vector for this cluster.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Check Point CVE-2026-50751 Exploitation Attempt
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects exploitation of improper authentication in IKEv1 key exchange related to CVE-2026-50751.
status: experimental
date: 2026/06/26
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: firewall
    service: check_point
detection:
    selection:
        action|startswith: 'accept'
        service: 'ike'
        reason|contains: 'encryption failure'
        src_ip|cidr:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
    filter:
        dst_ip|cidr:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
            - '172.16.0.0/12'
    condition: selection and not filter
falsepositives:
    - Misconfigured internal VPN clients
level: high

---
title: NOVA Affiliate Lateral Movement via PsExec
id: b2c3d4e5-f6g7-h8i9-j0k1-l2m3n4o5p6q7
description: Detects typical NOVA lateral movement patterns using PsExec with specific arguments often used by their affiliates.
status: experimental
date: 2026/06/26
author: Security Arsenal Research
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName|startswith: '\\\\*\\ADMIN$'
        RelativeTargetName|contains: 'PSEXESVC'
        AccessMask: '0x12019f'
    condition: selection
falsepositives:
    - Legitimate administrative tasks using PsExec
level: critical

---
title: Ransomware Pre-Encryption Volume Shadow Copy Deletion
id: c3d4e5f6-g7h8-i9j0-k1l2-m3n4o5p6q7r8
description: Detects commands used to delete Volume Shadow Copies via vssadmin, a common step in NOVA playbook before encryption.
status: experimental
date: 2026/06/26
author: Security Arsenal Research
logsource:
    product: windows
    service: process_creation
detection:
    selection:
        Image|endswith: '\\vssadmin.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'resize shadowstorage'
    condition: selection
falsepositives:
    - System administration maintenance scripts
level: high

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for NOVA pre-encryption staging and lateral movement
let TimeFrame = ago(7d);
DeviceProcessEvents
| where Timestamp > TimeFrame
| where ProcessCommandLine has_any ("vssadmin", "wbadmin", "bcdedit") or ProcessCommandLine contains "delete"
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "psexec.exe", "psexec64.exe")
| project DeviceName, Timestamp, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

Rapid Response PowerShell Script

PowerShell
<#
.SYNOPSIS
    NOVA Ransomware Hardening and Triage Script
.DESCRIPTION
    Checks for common NOVA TTPs: RDP exposure, recent schtasks, and VSS health.
#>

Write-Host "[+] Checking for exposed RDP sessions..." -ForegroundColor Cyan
$query = "quser"
Invoke-Expression $query

Write-Host "[+] Enumerating Scheduled Tasks created in last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, Author, Date

Write-Host "[+] Checking Volume Shadow Copy Storage health..." -ForegroundColor Cyan
$vss = vssadmin list shadows
if ($vss -match "No shadows found") {
    Write-Host "[!] CRITICAL: No Volume Shadow Copies found. Possible deletion." -ForegroundColor Red
} else {
    Write-Host "[+] VSS Snapshots detected." -ForegroundColor Green
}


---

Incident Response Priorities

T-Minus Detection Checklist

  1. VPN Logs: Immediate audit of Check Point/SSL VPN logs for failed IKEv1 handshakes or anomalous authentication attempts (CVE-2026-50751).
  2. Scheduled Tasks: Hunt for unexpected tasks running powershell -enc or pointing to temp directories.
  3. Credential Access: Look for procdump.exe or rundll32.exe comsvcs.dll execution against LSASS.

Critical Asset Prioritization NOVA historically prioritizes exfiltration of:

  • Finance: Payroll, tax documents, banking credentials.
  • Intellectual Property: CAD files (Manufacturing), Source Code (Tech).
  • PII: Patient records (Healthcare), Employee HR files.

Containment Actions (Order of Urgency)

  1. Isolate hosts showing signs of PsExec or WMI lateral movement immediately.
  2. Revoke VPN credentials for all privileged accounts; enforce MFA reset.
  3. Power off non-critical domain controllers to prevent replication of malicious GPOs.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Management: Apply the patch for CVE-2026-50751 immediately on all Check Point Security Gateways. Disable IKEv1 if not strictly required.
  • Access Control: Enforce MFA on all VPN and RDP access. Implement "Geo-blocking" for regions not currently serviced by the enterprise.

Short-Term (2 Weeks)

  • Network Segmentation: Move critical servers and backups to an isolated VLAN with strict egress filtering.
  • EDR Tuning: Configure EDR to alert on unsigned binaries interacting with LSASS or VSS.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangnovanova-ransomwarecve-2026-50751transportation-logisticsransomware-as-a-serviceinitial-access-broker

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action