Back to Intelligence

NOVA Ransomware Gang: Global Tech Sector Surge & Critical CVE Exploitation

SA
Security Arsenal Team
July 18, 2026
7 min read

NOVA is a rapidly emerging ransomware operation operating with a high degree of agility. While the group maintains a relatively low public profile regarding internal leadership, it functions as a Ransomware-as-a-Service (RaaS) entity, aggressively recruiting affiliates with access to vulnerable networks.

  • Ransom Model: Double extortion. NOVA exfiltrates sensitive data prior to encryption and threatens public release on their dedicated leak site if demands are not met.
  • Demands: Historically range from $500,000 to $5 million USD, typically negotiated in Monero (XMR) or Bitcoin (BTC).
  • Initial Access: NOVA affiliates are opportunistic, prioritizing exposed edge infrastructure. Intelligence suggests a heavy reliance on exploiting vulnerabilities in VPNs and remote management tools (e.g., Check Point, ScreenConnect) rather than sophisticated phishing campaigns.
  • Dwell Time: Short to moderate. Analysis of recent victim timelines indicates an average dwell time of 3–7 days between initial breach and detonation, allowing for rapid data staging.

Current Campaign Analysis

Campaign Dates: 2026-07-17 to 2026-07-18

Targeted Sectors: NOVA has shifted focus significantly toward the Technology and Business Services sectors. This targeting suggests a hunt for Managed Service Providers (MSPs) or IT-heavy firms, likely to pivot downstream into client networks or access high-value intellectual property.

Geographic Concentration: The campaign is geographically dispersed, indicating a "spray and pray" vulnerability exploitation approach rather than region-specific political motivations.

  • Americas: Brazil (BR), United States (US), Canada (CA)
  • Asia-Pacific: Vietnam (VN)

Victim Profile:

  • FMZ Tecnologia em Sistemas: Brazilian tech firm, typical mid-market IT provider.
  • Digipro: Vietnamese technology entity.
  • Integrated Marketing Services: US-based Business Services.

Observed Frequency: The group posted 4 victims within 24 hours. This escalation suggests a successful automated exploitation tool or a new affiliate joining the platform with a cache of access.

CVE Correlation & Initial Access Vectors: Based on the sectors targeted (Tech/Biz Services) and the CISA KEV list, NOVA is likely exploiting the following vectors for initial access:

  1. CVE-2026-50751 (Check Point Security Gateway): Given the targeting of Technology firms (who often manage their own perimeters), the IKEv1 vulnerability is a prime candidate for bypassing VPN authentication.
  2. CVE-2024-1708 (ConnectWise ScreenConnect): Business Services and IT firms heavily utilize remote monitoring and management (RMM) software. The authentication bypass in ScreenConnect allows for immediate RDP-like access.
  3. CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization flaws allow for remote code execution on management consoles, a common entry point for sophisticated NOVA affiliates.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Check Point IKEv1 Exploitation Attempt
description: Detects potential exploitation of CVE-2026-50751 involving IKEv1 key exchange anomalies or authentication failures on Check Point gateways.
author: Security Arsenal Research
date: 2026/07/18
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: firewall
    service: checkpoint
detection:
    selection:
        service|contains: 'ike'
        protocol: 'udp'
        dst_port: 500
    filter:
        action: 'accept'
    condition: selection and not filter
falsepositives:
    - Legitimate VPN misconfigurations
level: high
tags:
    - attack.initial_access
    - cve.2026.50751
    - nova
---
title: ConnectWise ScreenConnect Authentication Bypass
description: Detects suspicious web requests indicative of CVE-2024-1708 exploitation on ScreenConnect servers.
author: Security Arsenal Research
date: 2026/07/18
status: experimental
logsource:
    category: web
    product: connectwise_screenconnect
detection:
    selection_uri:
        cs-uri-query|contains:
            - '/Guest?'
            - 'SetupWizard'
    selection_method:
        cs-method: 'POST'
    condition: selection_uri and selection_method
falsepositives:
    - Legitimate administrative setup (rare in production)
level: critical
tags:
    - attack.initial_access
    - cve.2024.1708
    - nova
---
title: Suspicious PowerShell Encoded Command via RMM Tool
description: Detects base64 encoded PowerShell execution often used by ransomware gangs moving laterally through RMM tools like ScreenConnect.
author: Security Arsenal Research
date: 2026/07/18
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\powershell.exe'
        CommandLine|contains: ' -enc '
    filter_parent:
        ParentProcessName|endswith:
            - '\ScreenConnect.ClientService.exe'
            - '\BomgarJumpClient.exe'
            - '\ConnectWiseControl.Client.exe'
    condition: selection and filter_parent
falsepositives:
    - Administrator troubleshooting
level: high
tags:
    - attack.execution
    - attack.lateral_movement
    - nova

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and data staging common in NOVA attacks
// Focuses on mass file access and unusual SMB traffic
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe", "wmic.exe", "psexec.exe", "psexec64.exe")
| where CommandLine contains_any ("-enc", "-encodedcommand", "downloadstring", "iex", "invoke-expression")
| extend InitatingAccount = AccountName, InitiatingProcess = FileName
| join kind=inner (DeviceNetworkEvents
    | where ActionType == "ConnectionSuccess"
    | where RemotePort in (445, 139, 3389) 
    | summarize Count=count() by DeviceId, RemoteIP, RemotePort
) on DeviceId
| project Timestamp, DeviceName, InitiatingProcess, CommandLine, RemoteIP, RemotePort, Count
| where Count > 50 // High volume of connections suggests scanning/dump
| order by Timestamp desc

Rapid Response Script (PowerShell)

PowerShell
# NOVA Ransomware - T-Minus Hardening and Detection Script
# Checks for recent scheduled tasks (persistence) and Shadow Copy manipulation

Write-Host "[+] Starting NOVA Ransomware T-Minus Check..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 48 hours
$DateCutoff = (Get-Date).AddDays(-2)
Write-Host "[!] Checking for Scheduled Tasks created/modified since $DateCutoff..." -ForegroundColor Yellow

Get-ScheduledTask | ForEach-Object {
    $TaskInfo = $_ | Get-ScheduledTaskInfo
    if ($TaskInfo.LastRunTime -gt $DateCutoff -or $TaskInfo.NextRunTime -gt $DateCutoff) {
        $Action = $_.Actions.Execute
        if ($Action -match "powershell" -or $Action -match "cmd" -or $Action -match "http") {
            Write-Host "[SUSPICIOUS] Task Name: $($_.TaskName) | Action: $Action" -ForegroundColor Red
        }
    }
}

# 2. Check Volume Shadow Copy Status (Ransomware often deletes these before encryption)
Write-Host "[!] Checking Volume Shadow Copy Storage usage..." -ForegroundColor Yellow
try {
    $vss = gwmi -Namespace root/cimv2 -Class Win32_ShadowCopyStorage
    if ($vss.Count -eq 0) {
        Write-Host "[WARNING] No Shadow Copy Storage found. This may indicate prior deletion." -ForegroundColor Red
    } else {
        Write-Host "[OK] Shadow Copy Storage present." -ForegroundColor Green
    }
} catch {
    Write-Host "[ERROR] Could not query VSS." -ForegroundColor DarkGray
}

# 3. Check for suspicious RDP sessions (User mode)
Write-Host "[!] Querying recent RDP logons (non-console)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -match 'Logon Type: 10' -and $_.Message -notmatch 'NETWORK SERVICE'} |
Select-Object TimeCreated, @{n='User';e={$_.Properties[5].Value}}, @{n='IP';e={$_.Properties[19].Value}} | Format-Table

Write-Host "[+] Check Complete." -ForegroundColor Cyan


---

Incident Response Priorities

If NOVA activity is suspected or confirmed:

  1. T-Minus Detection Checklist:

    • Immediate: Isolate assets running Check Point Security Gateways and Cisco FMC from the internet if patches are not verified.
    • Audit: Review ScreenConnect logs for anonymous logon attempts or unexpected session launches around 2026-07-15 to 2026-07-18.
    • Network: Hunt for large outbound data transfers (exfiltration) occurring during non-business hours.
  2. Critical Assets Targeted for Exfiltration:

    • Source Code Repositories: (Targeted at victims like FMZ and Digipro).
    • Customer PII/CRM Databases: (Targeted at Integrated Marketing Services).
    • Financial Records: Accounting folders (pattern match: finance, payroll, tax).
  3. Containment Actions (Ordered by Urgency):

    • Disconnect VPN: Terminate all active VPN sessions and require re-authentication after MFA verification.
    • Disable RMM: Temporarily halt services for ScreenConnect/ConnectWise until the vulnerability (CVE-2024-1708) is confirmed patched.
    • Credential Reset: Force reset for all privileged accounts (Domain Admins) that have logged into the affected segment in the last 14 days.

Hardening Recommendations

Immediate (Within 24 Hours):

  • Patch CVE-2026-50751: Apply the Check Point hotfix immediately. If patching is delayed, disable IKEv1 on the VPN gateway.
  • Patch CVE-2024-1708: Upgrade ConnectWise ScreenConnect to the latest patched version immediately. Restrict access to the web interface via IP whitelisting.
  • MFA Enforcement: Ensure all remote access (VPN, RDP, RMM) is protected by FIDO2 or hardware-token MFA.

Short-Term (Within 2 Weeks):

  • Network Segmentation: Move critical IT management tools (RMM, Backup servers) to a dedicated management VLAN, inaccessible from the general user network.
  • Zero Trust Architecture: Implement strict allow-listing for outbound internet traffic from servers to prevent C2 beaconing and data exfiltration.
  • Audit Edge Perimeter: Conduct a full external penetration test with a specific focus on VPNs and Firewall Management Consoles (Cisco FMC).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangnovanova-ransomwaretech-sectorcve-2026-50751screenconnectransomware-intel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.