Aliases & Operations: NOVA operates as a Ransomware-as-a-Service (RaaS) entity with a closed-knit core development team and a network of affiliates. While not a legacy brand, their recent operational tempo suggests a mature ability to process victims and leak data rapidly.
Modus Operandi: NOVA utilizes a double-extortion model, encrypting systems and threatening to leak sensitive corporate data on their dedicated .onion site. Typical ransom demands range from $500,000 to $5 million, calibrated based on victim revenue.
Initial Access Vectors: Intelligence indicates a heavy reliance on exploiting external-facing remote management and perimeter security appliances rather than traditional phishing. They actively leverage CISA Known Exploited Vulnerabilities (KEV), specifically targeting VPNs (Check Point) and remote access tools (ConnectWise ScreenConnect).
Dwell Time: NOVA affiliates typically maintain a dwell time of 3 to 7 days. This short window suggests they automate discovery and lateral movement or prioritize victims with weak network segmentation to achieve rapid encryption.
Current Campaign Analysis
Sector Targeting: The recent batch of 15 victims (posted between 2026-06-19 and 2026-06-24) reveals a distinct pivot towards Transportation/Logistics (transvill, FTL-Fast Transit Line) and Technology (cloudquantum, Lockers IT). Business Services and Healthcare remain secondary targets.
Geographic Concentration: There is a clear geographic focus on South America (Peru, Argentina) and Southern Europe (Portugal), with outliers in Vietnam, Saudi Arabia, and Denmark. This suggests affiliates may be operating out of or specifically targeting supply chains in Latin American and Iberian markets.
Victim Profile: Based on the victim roster, NOVA is targeting mid-market enterprises ($50M - $500M revenue). These organizations often have critical IT operations (e.g., logistics fleets, cloud infrastructure) but lack dedicated 24/7 SOC monitoring, making them vulnerable to CVE exploits.
Observed Patterns: Posting frequency has accelerated to nearly 2 victims per day. The presence of transvill and transvill.com.pe suggests multiple entities within the same supply chain or holding group may be compromised sequentially.
CVE Correlation:
- CVE-2024-1708 (ConnectWise ScreenConnect): Highly probable initial access vector for Technology and Business Services victims, allowing unauthenticated RCE.
- CVE-2026-50751 (Check Point Security Gateway): Likely vector for Transportation/Logistics sectors where VPN concentrators are critical infrastructure.
Detection Engineering
The following detection signatures are designed to catch NOVA's exploitation of critical CVEs and their subsequent lateral movement.
---
title: Potential ConnectWise ScreenConnect Authentication Bypass
description: Detects potential exploitation of CVE-2024-1708 involving anomalous URI patterns in ScreenConnect logs.
status: experimental
date: 2026/06/24
author: Security Arsenal
logsource:
category: web
product: screenconnect
detection:
selection:
c-uri|contains:
- '/Bin/ConnectWiseControl/Handler.ashx?'
- '/Services/SecurityService.ashx/'
cs-method: 'POST'
filter:
sc-status: 200
condition: selection and filter
falsepositives:
- Legitimate administrative access
level: critical
tags:
- cve.2024.1708
- ransomware.nova
- initial.access
---
title: Suspicious PowerShell Base64 Encoded Command
description: Detects Base64 encoded PowerShell commands often used by NOVA affiliates for lateral movement and payload execution.
status: experimental
date: 2026/06/24
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: ' -enc '
filter_legit:
ParentImage|contains:
- '\System32\'
- '\Program Files\'
condition: selection and not filter_legit
falsepositives:
- System administration scripts
level: high
tags:
- execution
- defense.evasion
- ransomware.nova
---
title: Volume Shadow Copy Deletion via VssAdmin
description: Detects attempts to delete Volume Shadow Copies, a common NOVA precursor to encryption to prevent recovery.
status: experimental
date: 2026/06/24
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
condition: selection
falsepositives:
- Rare system maintenance tasks
level: critical
tags:
- impact
- defense.evasion
- ransomware.nova
**Hunt Query (KQL for Microsoft Sentinel):**
This query identifies large-scale file staging and data exfil activity typical of NOVA's double-extortion playbook.
kql
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z"
| where FolderPath contains "ProgramData" or FolderPath contains "Temp"
| where FileSize > 10000000 // Files larger than 10MB
| extend DeviceName = DeviceName, AccountName = InitiatingProcessAccountName
| summarize FileCount = count(), TotalSizeMB = sum(FileSize/1024/1024) by DeviceName, AccountName, FolderPath
| where FileCount > 5
**Rapid Response Hardening Script (PowerShell):**
Execute this script on critical endpoints to identify persistence mechanisms often used by NOVA.
powershell
# Check for suspicious scheduled tasks created in the last 7 days
$Date = (Get-Date).AddDays(-7)
$SuspiciousTasks = Get-ScheduledTask | Where-Object {$_.Date -gt $Date}
if ($SuspiciousTasks) {
Write-Host "[ALERT] New Scheduled Tasks Detected:" -ForegroundColor Red
$SuspiciousTasks | Select-Object TaskName, Date, Author, Actions | Format-List
} else {
Write-Host "[OK] No new suspicious scheduled tasks found." -ForegroundColor Green
}
# Check for disabled or deleted Shadow Copies
try {
$ShadowCopies = vssadmin list shadows /quiet
if (-not $ShadowCopies) {
Write-Host "[CRITICAL] No Volume Shadow Copies found. Possible deletion or tampering." -ForegroundColor Red
} else {
Write-Host "[OK] Volume Shadow Copies exist." -ForegroundColor Green
}
} catch {
Write-Host "[ERROR] Could not query VSS." -ForegroundColor Yellow
}
---
Incident Response Priorities
T-minus Detection Checklist:
- VPN Gateway Logs: Immediate review of Check Point Security Gateway logs for IKEv1 anomalies and failed authentication spikes (Indicative of CVE-2026-50751).
- Remote Access Audit: Audit ConnectWise ScreenConnect instances for unauthorized sessions or logon failures on port 80/443.
- Lateral Movement: Hunt for
PsExecorWMIexecution logs originating from non-admin accounts.
Critical Assets at Risk: NOVA prioritizes exfiltration of Customer PII (Logistics/Consumer Services) and Intellectual Property (Technology/Manufacturing). Backup repositories (NAS, Veeam servers) are primary encryption targets.
Containment Actions (Urgency Order):
- Isolate: Disconnect VPN concentrators and remote access gateways from the internal network immediately if exploitation is suspected.
- Disable: Force-disable all local administrator accounts on endpoints to slow lateral movement.
- Suspend: Suspend all scheduled tasks and non-critical backup jobs to prevent malicious scripts from executing.
Hardening Recommendations
Immediate (24 Hours):
- Patch CVE-2024-1708: Apply the ConnectWise ScreenConnect patch immediately or enforce MFA on all instances.
- Patch CVE-2026-50751: Update Check Point Security Gateways to the latest firmware. Disable IKEv1 if not strictly required.
- Access Control: Enforce strict IP allow-listing on all VPN and remote desktop (RDP) interfaces.
Short-term (2 Weeks):
- Network Segmentation: Implement Zero Trust segmentation to isolate critical servers (Backup, Database, Domain Controllers) from general user networks.
- EDR Deployment: Ensure EDR sensors are active on all VPN infrastructure and jump servers, not just workstations.
- Phishing Resiliency: While secondary to CVE exploitation, conduct targeted phishing simulations regarding fake software updates, as NOVA uses this as a secondary vector.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.