Aliases & Operations: NOVA is a relatively aggressive Ransomware-as-a-Service (RaaS) operation that has rapidly scaled its victim count. Unlike closed-group actors, NOVA utilizes a network of affiliates to conduct initial access and operations, allowing for diverse targeting across geographies and sectors.
TTPs & Extortion Model:
- Ransom Demands: Typically range from $500k to $5M, depending on victim revenue.
- Initial Access: Heavily reliant on exploiting edge vulnerabilities and external remote services (RMM tools). Recent intelligence confirms active exploitation of VPNs and remote management interfaces.
- Double Extortion: Strict adherence to double extortion. NOVA exfiltrates sensitive data (employee PII, executive correspondence, client databases) prior to encryption and threatens leak site publication if negotiations fail.
- Dwell Time: Short. NOVA affiliates often move laterally and detonate payloads within 3–7 days of gaining initial access to minimize detection chances.
Current Campaign Analysis
Sector Targeting: The latest data indicates a distinct pivot towards Public Sector and Transportation/Logistics. The breach of the NSW Rural Fire Service and NSW Government suggests a focus on critical infrastructure and emergency services in the APAC region. Simultaneously, logistics entities like vslmarine (GB) and transvill (PE) indicate a global campaign targeting supply chain continuity.
Geographic Concentration:
- Primary Target: Australia (AU) – High concentration of hits.
- Secondary Targets: United Kingdom (GB), Peru (PE), Portugal (PT), and Vietnam (VN).
CVE Correlation & Vectors: The observed victimology aligns closely with the exploitation of specific CISA Known Exploited Vulnerabilities (KEVs):
- CVE-2024-1708 (ConnectWise ScreenConnect): The targeting of Technology and Business Services (e.g., Lockers IT, lpgroup) strongly suggests the use of this path traversal vulnerability to gain remote code execution on managed service providers (MSPs) or internal IT admin consoles.
- CVE-2026-50751 (Check Point Security Gateway): The breach of government and large logistics entities implies the exploitation of VPN perimeter weaknesses. This vulnerability allows unauthenticated attackers to bypass IKEv1 authentication.
- CVE-2026-20131 (Cisco Secure Firewall FMC): Alternative perimeter access vector likely used for large-scale network intrusions where Cisco appliances are prevalent.
Observed Posting Frequency: NOVA is maintaining a high operational tempo, averaging a new victim posting every 24–48 hours. The escalation from initial compromise to leak site publication is rapid, often occurring within 10 days if no ransom is paid.
Detection Engineering
SIGMA Rules
YAML
---
title: Potential ScreenConnect Authentication Bypass (CVE-2024-1708)
id: 4a8b0c9d-1e2f-3a45-6b78-9c0d1e2f3a4b
description: Detects path traversal attempts associated with ScreenConnect authentication bypass vulnerabilities.
status: experimental
date: 2026/06/26
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: webserver
detection:
selection:
c-uri|contains:
- '..\\'
- '%2e%2e%5c'
- 'App_Web'
filter:
c-uri|contains:
- '.css'
- '.js'
- '.png'
condition: selection and not filter
falsepositives:
- Legitimate scanning (rare)
level: high
tags:
- attack.initial_access
- cve.2024.1708
- ransomware.nova
---
title: Check Point VPN IKEv1 Anomaly (CVE-2026-50751)
id: 5b9c1d0e-2f3g-4b56-7c89-0d1e2f3g4b5c
description: Detects suspicious IKEv1 negotiation patterns or potential exploitation attempts on Check Point Security Gateways.
status: experimental
date: 2026/06/26
author: Security Arsenal Research
logsource:
product: firewall
detection:
selection:
protocol: 'IKE'
version: 'v1'
condition: selection
falsepositives:
- Legacy VPN configurations
level: medium
tags:
- attack.initial_access
- cve.2026.50751
- ransomware.nova
---
title: Ransomware Preparation - Vssadmin Shadow Copy Deletion
&id: 6c0d2e1f-3g4h-5c67-8d90-1e2f3g4h5c6d
description: Detects the use of vssadmin to delete shadow copies, a common precursor to encryption.
status: experimental
date: 2026/06/26
author: Security Arsenal Research
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
condition: selection
falsepositives:
- System administration (rare)
level: critical
tags:
- attack.impact
- attack.t1490
- ransomware.nova
**KQL (Microsoft Sentinel)**
Hunt for lateral movement and staging indicative of NOVA operations.
kql
let SuspiciousProcesses = dynamic(["powershell.exe", "cmd.exe", "wmic.exe", "psexec.exe", "psexec64.exe"]);
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName in~ ("ScreenConnect.ClientService.exe", "sc.exe") or
InitiatingProcessCommandLine has_any("Check Point", "VPN")
| where FileName in~ SuspiciousProcesses
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend FullContext = strcat("Potential Lateral Movement via ", InitiatingProcessFileName)
**PowerShell — Rapid Response Script**
Enumerate recent scheduled tasks and check for exposed RDP/VPN status.
powershell
<#
.SYNOPSIS
NOVA Ransomware Rapid Response Check
.DESCRIPTION
Checks for recently created scheduled tasks (common persistence) and
enumerates RDP sessions.
#>
Write-Host "[!] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) } | Select-Object TaskName, Date, Author, Actions
Write-Host "[!] Checking for Active RDP Sessions..." -ForegroundColor Cyan
query user
Write-Host "[!] Checking for Shadow Copy Manipulation Events (Event ID 822)..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=822; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message
Incident Response Priorities
-
T-minus Detection Checklist:
- VPN Logs: Review Check Point and Cisco FMC logs for authentication anomalies around
2026-06-20to2026-06-26. - ScreenConnect Audit: Immediately audit ScreenConnect/Web Connect logs for path traversal strings (
..\or encoded variants). - Exchange Server: Monitor for deserialization attacks (CVE-2023-21529) if Public Sector mail servers are on-premise.
- VPN Logs: Review Check Point and Cisco FMC logs for authentication anomalies around
-
Critical Asset Prioritization:
- NOVA historically targets Active Directory databases and Backup repositories for destruction.
- Exfiltration Focus: Employee HR records (Public Sector) and Bill of Lading/Logistics manifests (Transportation).
-
Containment Actions:
- Immediate: Isolate identified victim subnets. Revoke credentials for accounts logged into VPNs during the suspected breach window.
- Urgent: Disable internet-facing RDP and RMM tools temporarily if patch status for CVE-2024-1708 is unknown.
Hardening Recommendations
Immediate (24h):
- Patch CVE-2024-1708: Apply the ConnectWise ScreenConnect patch immediately. This is the primary vector for the recent Lockers IT and lpgroup compromises.
- Disable IKEv1: On Check Point Security Gateways, disable IKEv1 and enforce IKEv2 with strong integrity checks to mitigate CVE-2026-50751.
- MFA Enforcement: Ensure all VPN and remote access points have phishing-resistant MFA enforced immediately.
Short-term (2 weeks):
- Network Segmentation: Segment the OT/Logistics networks from the IT administrative network to prevent lateral movement from RMM tools.
- Secure External Mail: Move Public Sector email services to a secure cloud provider or apply latest Exchange security updates to address CVE-2023-21529.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangnovaransomwarecve-2024-1708cve-2026-50751public-sector
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.