Back to Intelligence

NOVA Ransomware: Global Logistics & Public Sector Campaign — Detection Engineering & IOCs

SA
Security Arsenal Team
June 28, 2026
6 min read

Aliases & Affiliation: NOVA operates as a Ransomware-as-a-Service (RaaS) entity with loose ties to former Conti/LockBit affiliates. They distinguish themselves through aggressive targeting of supply chain and logistics nodes.

Operational Model: NOVA utilizes a double-extortion model, encrypting victim environments while exfiltrating sensitive operational data (e.g., shipping manifests, blueprints). Recent ransom demands range from $500,000 to $3 million, payable in Monero (XMR) or Bitcoin (BTC).

Initial Access Vectors: Intelligence indicates a heavy reliance on exploiting internet-facing perimeter appliances. The group is actively leveraging zero-day and N-day vulnerabilities in VPNs (Check Point, Cisco) and remote management tools (ConnectWise ScreenConnect) to bypass MFA and gain persistent internal access.

Dwell Time: Average dwell time is short (3–7 days). NOVA operators prioritize speed, often moving laterally via Cobalt Strike beacons and custom PowerShell loaders within 24 hours of initial breach before detonating encryption.

Current Campaign Analysis

Sector Targeting: The current campaign (data through 2026-06-28) shows a distinct pivot toward Transportation/Logistics and Public Sector entities.

  • Transportation/Logistics (33% of victims): vslmarine (IN), transvill (PE), FTL-Fast Transit Line (BE).
  • Public Sector: NSW Rural Fire Service (AU).
  • Healthcare: MIT HJERTE (DK).

Geographic Concentration: NOVA has adopted a global spray-and-pray approach for initial access (scanning for vulnerable VPNs), followed by manual exploitation. High activity clusters observed in Australia (AU), India (IN), and South America (PE, AR, CO).

Victim Profile: Victims are primarily mid-to-large enterprise organizations with revenue between $50M and $500M. The targeting of the NSW Rural Fire Service suggests a willingness to target critical infrastructure regardless of ability to pay, likely for disruption or political leverage.

CVE Correlation: There is a high confidence correlation between the recent victim surge and the exploitation of CVE-2026-50751 (Check Point Security Gateway) and CVE-2026-20131 (Cisco Secure Firewall FMC). These vulnerabilities allow the gang to bypass authentication on perimeter VPNs, creating a stealthy entry point that evades traditional IDS.

Posting Frequency: NOVA is posting victims at an accelerated rate (3–4 victims every 48 hours), suggesting an automated or semi-automated leak site operation and a high success rate in their exploitation efforts.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Check Point VPN IKEv1 Authentication Bypass
description: Detects potential exploitation of CVE-2026-50751 involving IKEv1 key exchange anomalies or unexpected successful logins on legacy VPN protocols.
author: Security Arsenal Research
date: 2026/06/28
status: stable
logsource:
  product: firewall
  definition: Check Point Security Gateway logs
detection:
  selection:
    protocol|contains: 'IKE'
    action: 'accept'
    ike_version: 'v1'
  filter_legitimate:
    src_ip|cidr:
      - '10.0.0.0/8'
      - '192.168.0.0/16'
      - '172.16.0.0/12'
  condition: selection and not filter_legitimate
level: high
tags:
  - attack.initial_access
  - cve.2026.50751
  - nova
---
title: Suspicious ConnectWise ScreenConnect Path Traversal
description: Detects potential exploitation of CVE-2024-1708 via URI anomalies in ScreenConnect web logs.
author: Security Arsenal Research
date: 2026/06/28
status: stable
logsource:
  category: web
detection:
  selection_uri:
    cs-uri-query|contains:
      - '..%2f'
      - '..\\'
  selection_host:
    cs-host|contains: 'ScreenConnect'
  condition: all of selection_
level: critical
tags:
  - attack.initial_access
  - cve.2024.1708
  - nova
---
title: Ransomware Pre-Encryption Volume Shadow Deletion
description: Detects commands used by NOVA affiliates to delete Volume Shadow Copies using vssadmin or wmic prior to encryption.
author: Security Arsenal Research
date: 2026/06/28
status: stable
logsource:
  category: process_creation
  product: windows
detection:
  selection_vssadmin:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: 'delete shadows'
  selection_wmic:
    Image|endswith: '\wmic.exe'
    CommandLine|contains: 'shadowcopy delete'
  condition: 1 of selection_
level: high
tags:
  - attack.impact
  - nova
  - t1490

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and data staging associated with NOVA
// Looks for SMB large file copies and abnormal PsExec usage within a short timeframe
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where (FileName in~ ('psexec.exe', 'psexec64.exe') or ProcessCommandLine has 'C:\\Windows\\System32\\svchost.exe')
   or (FileName in~ ('robocopy.exe', 'rclone.exe') and ProcessCommandLine has '/COPYALL')
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend HostName = iff(DeviceName has '.', tostring(split(DeviceName, '.')[0]), DeviceName)
| order by Timestamp desc

PowerShell Rapid Response

PowerShell
# NOVA Ransomware Triage Script
# Checks for recent scheduled tasks (common persistence) and VShadow anomalies
# Run as Administrator

Write-Host "[+] Checking for suspicious Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object { $_.Date -gt $DateCutoff } | 
    Select-Object TaskName, TaskPath, Date, Author, Actions | Format-Table -AutoSize

Write-Host "[+] Checking Volume Shadow Copy Storage state..." -ForegroundColor Cyan
try {
    $vss = vssadmin list shadows
    if ($vss -match "No shadow copies found") {
        Write-Host "[!] WARNING: No shadow copies found. Possible deletion event." -ForegroundColor Red
    } else {
        Write-Host "[*] Shadow copies present." -ForegroundColor Green
    }
} catch {
    Write-Host "[!] Error checking VSS." -ForegroundColor Red
}

Write-Host "[+] enumerating recent RDP authentications (Security Event ID 4624)..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=$DateCutoff} -ErrorAction SilentlyContinue |
    Where-Object {$_.Message -match 'Logon Type:\s+10'} |
    Select-Object TimeCreated, @{n='Account';e={$_.Properties[5].Value}}, @{n='Source IP';e={$_.Properties[19].Value}} | 
    Group-Object Account | Select-Object -First 10 Count, Name


---

Incident Response Priorities

T-minus Detection Checklist:

  1. VPN Logs (URGENT): Immediately query Check Point and Cisco FMC logs for the period 2026-06-20 to present. Look for successful VPN connections from unusual geolocations (non-corporate IPs) or connections involving IKEv1.
  2. ScreenConnect Audit: If ConnectWise ScreenConnect is in use, audit session logs for anonymous logins or path traversal attempts matching CVE-2024-1708.
  3. Process Anomalies: Hunt for powershell.exe spawning cmd.exe or csc.exe (related to .NET deserialization attacks common in this campaign).

Critical Assets for Exfiltration: NOVA historically prioritizes:

  • Logistics: Shipping schedules, customer PII, logistic software databases (e.g., Oracle Transportation, SAP).
  • Public Sector: Emergency services rosters, dispatch records, and citizen databases.

Containment Actions:

  1. Isolate: Immediately disconnect VPN concentrators from the internal network if patching status for CVE-2026-50751 is unverified.
  2. Disable: Temporarily disable remote access tools (ScreenConnect, RDP) for non-essential staff.
  3. Credential Reset: Force reset for all privileged accounts used for firewall/VPN management.

Hardening Recommendations

Immediate (24 Hours):

  • Patch Perimeter: Apply patches for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) immediately. If patching is not possible, disable IKEv1 and restrict management interfaces to specific source IPs.
  • Block Exploits: Deploy signature-based IPS rules to block path traversal attempts on web servers targeting /. sequences.

Short-term (2 Weeks):

  • Zero Trust Network Access (ZTNA): Move from traditional VPN to ZTNA solutions to prevent lateral movement from compromised endpoints.
  • Segmentation: Ensure OT/IoT and logistics management systems are on isolated VLANs, strictly controlled by firewall rules allowing only necessary application protocols.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangnovanova-ransomwareransomwarelogisticspublic-sectorvpn-exploitation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action