Threat Actor Profile — NOVA
Classification: RaaS (Ransomware-as-a-Service) / Aggressive Affiliate Model
Overview: NOVA is a rapidly evolving ransomware operation that has transitioned from opportunistic attacks to targeted, sector-focused campaigns. Operating on a RaaS model, they provide a sophisticated encryptor to affiliates who specialize in initial access via edge device exploitation. The group is distinct for its aggressive double extortion strategy, leaking data within 48 hours if negotiations stall.
TTPs & Modus Operandi:
- Initial Access: Current intelligence confirms a heavy reliance on exploiting perimeter security appliances rather than pure phishing. Active exploitation of CVE-2026-50751 (Check Point Security Gateway) and CVE-2026-20131 (Cisco Secure Firewall FMC) has been observed. They also leverage legacy remote access flaws like CVE-2024-1708 (ConnectWise ScreenConnect) for persistence.
- Lateral Movement: Common tools include Cobalt Strike beacons, PowerShell remoting, and RDP brute-forcing once inside the perimeter.
- Ransom Demands: Typically range from $500k to $3M, calibrated based on victim revenue.
- Dwell Time: Short and aggressive. Average time from initial compromise to encryption is 3–4 days.
Current Campaign Analysis
Sector Targeting: The victim dataset from June 19–24, 2026, indicates a strategic pivot toward critical operational sectors:
- Transportation & Logistics (33%): High concentration of victims like
transvill.com.peandFTL-Fast Transit Linesuggests supply chain disruption is a primary goal. - Technology (20%): Targets include
cloudquantumandLockers IT, likely chosen as entry points to pivot into larger corporate networks. - Healthcare (7%): The targeting of
MIT HJERTE(Denmark) highlights a willingness to target sensitive, life-critical data.
Geographic Concentration: The campaign is globally distributed but shows a specific clustering in Latin America (Peru, Argentina) and Western Europe (Portugal, Denmark). This may indicate affiliate operational bases or a focus on specific regional supply chains.
Observed Posting Frequency: NOVA is maintaining a high velocity of posts, averaging 2–3 victims per day. This "high churn" rate suggests automated leak site management and a large volume of simultaneous intrusions.
CVE Connection: The surge in victims correlates directly with the weaponization of CVE-2026-50751 (Check Point). Victims in the Logistics and Technology sectors frequently operate the Check Point Security Gateway vulnerable to IKEv1 authentication bypass, providing the initial foothold for NOVA affiliates to bypass perimeter defenses.
Detection Engineering
Sigma Rules
title: Potential Check Point IKEv1 Exploitation Attempt (CVE-2026-50751)
id: 8a7b9c1d-2e3f-4a5b-6c7d-8e9f0a1b2c3d
description: Detects suspicious IKEv1 connection requests characteristic of CVE-2026-50751 exploitation used by NOVA.
status: experimental
date: 2026/06/24
author: Security Arsenal Research
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: firewall
service: check_point
detection:
selection_ike:
service: 'vpn'
protocol: 'ike'
version: 'v1'
selection_suspicious:
action: 'accept'
src_ip|startswith:
- '10.'
- '192.168.'
- '172.16.'
condition: all of selection*
falsepositives:
- Legitimate internal VPN configuration testing
level: high
---
title: ConnectWise ScreenConnect Authentication Anomaly (CVE-2024-1708)
id: 9b8c1d2e-3f4a-5b6c-7d8e-9f0a1b2c3d4e
description: Detects path traversal or authentication bypass attempts on ConnectWise ScreenConnect web panel.
status: experimental
date: 2026/06/24
author: Security Arsenal Research
logsource:
product: web server
detection:
selection_uri:
cs-uri-query|contains:
- '...//'
- '..%2f'
- 'DataService.ashx'
selection_status:
sc-status: 200
condition: all of selection*
falsepositives:
- Vulnerability scanning
level: critical
---
title: NOVA Affiliate Data Staging via Rclone
definition: 'Detects use of Rclone, a common tool used by NOVA affiliates for rapid data exfiltration prior to encryption.'
status: experimental
date: 2026/06/24
author: Security Arsenal Research
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\rclone.exe'
CommandLine|contains:
- 'sync'
- 'copy'
- 'config'
condition: selection
falsepositives:
- Legitimate admin backups using Rclone
level: high
KQL (Microsoft Sentinel)
// Hunt for lateral movement and credential dumping indicative of NOVA pre-encryption activity
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where (ProcessCommandLine has any("encodedcommand", "enc", "-w hidden") and FileName == "powershell.exe")
or (FileName == "cmd.exe" and ProcessCommandLine has "whoami")
or (FileName == "reg.exe" and ProcessCommandLine has "save")
| summarize count() by DeviceName, FileName, ProcessCommandLine, AccountName
| where count_ > 3
| project DeviceName, FileName, ProcessCommandLine, AccountName, Timestamp
PowerShell Hardening Script
# Rapid Response: Enumerate NOVA Persistence Mechanisms
# Author: Security Arsenal
Write-Host "[+] Checking for recent suspicious Scheduled Tasks (Last 7 Days)..." -ForegroundColor Cyan
$Cutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $Cutoff} |
Select-Object TaskName, TaskPath, Author, Date, Actions | Format-List
Write-Host "[+] Checking for ScreenConnect/WebConsole Processes (CVE-2024-1708)..." -ForegroundColor Cyan
Get-Process -ErrorAction SilentlyContinue | Where-Object {$_.ProcessName -match "(ScreenConnect|ConnectWise|Guest)"} |
Select-Object ProcessName, Id, Path, StartTime
Write-Host "[+] Checking for Volume Shadow Copy Deletion..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4656; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -match "VssAdmin" -or $_.Message -match "shadowcopy delete"} |
Select-Object TimeCreated, Id, Message
Incident Response Priorities
T-Minus Detection Checklist:
- Perimeter Audit: Immediately review logs for Check Point (CVE-2026-50751) and Cisco FMC (CVE-2026-20131) exploitation indicators (unexpected VPN tunnels, admin logins).
- RMM Hygiene: Audit ConnectWise ScreenConnect logs for
Guestaccess or path traversal attempts (DataService.ashx). - Data Exfil: Monitor network traffic for high-volume egress to non-standard ports or IPs, and look for
rcloneprocess execution on endpoints.
Critical Assets at Risk:
- Logistics: Supply chain manifests, customer PII, and customs data are high-value targets for extortion.
- Healthcare: PHI and imaging archives are prioritized for exfiltration.
Containment Actions:
- Isolate Edge Devices: If patching status is unknown, disconnect Check Point and Cisco FMC management interfaces from the internet immediately.
- Terminate Sessions: Kill all active ScreenConnect/RDP sessions not authorized by IT Security.
- Credential Reset: Force reset for all local admin accounts on edge devices and domain admin accounts used for firewall management.
Hardening Recommendations
Immediate (24h):
- Patch CVEs: Apply patches for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) immediately. These are confirmed active vectors.
- Restrict RMM Access: Enforce IP allow-listing for all remote management tools (ScreenConnect, RDP) and disable public internet exposure where possible.
Short-term (2 weeks):
- Network Segmentation: Implement strict Zero Trust segmentation between logistics/OT networks and the corporate IT domain to impede lateral movement.
- MFA Implementation: Enforce FIDO2 or hardware token MFA for all VPN and firewall management access.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.