Overview: NOVA is an emerging Ransomware-as-a-Service (RaaS) operation that has rapidly escalated its activity in mid-2026. The group operates with a high degree of aggression, utilizing recently disclosed vulnerabilities in perimeter security appliances to gain initial access. Unlike traditional groups relying solely on phishing, NOVA demonstrates advanced capability in exploiting edge devices like VPNs and Firewall Management Centers.
Modus Operandi:
- Affiliation Model: RaaS (Ransomware-as-a-Service). They appear to recruit affiliates skilled in perimeter exploitation.
- Ransom Demands: Estimated range of $500k - $5M USD, varying strictly based on victim revenue.
- Initial Access: Heavily focused on exploitation of internet-facing security appliances (Check Point, Cisco FMC) and remote management tools (ScreenConnect).
- Double Extortion: Strictly adheres to the double-extortion model. Data is exfiltrated to dedicated leak servers prior to encryption execution.
- Dwell Time: Short. Intelligence suggests a dwell time of 3–7 days from initial exploit to encryption, indicating an automated or "hands-on-keyboard" acceleration after beachhead establishment.
Current Campaign Analysis
Sector Targeting: The latest victim count (15 postings) indicates a distinct pivot toward Transportation/Logistics and Technology. Critical infrastructure victims like FTL-Fast Transit Line and Transvill suggest the group is targeting supply chain entities to maximize disruption pressure.
Geographic Concentration: There is a heavy concentration in Latin America (Peru, Argentina, Portugal) with secondary activity in Southeast Asia (Vietnam) and Europe (Denmark). The targeting of transvill.com.pe and alejandria.biz suggests a focused campaign or a specific affiliate operating in this region.
Victim Profile: Victims range from mid-market business services to critical logistics providers. The inclusion of MIT HJERTE (Healthcare, Denmark) demonstrates a lack of ethical boundaries, targeting healthcare providers despite typical "taboo" rules in the cybercrime ecosystem.
CVE Correlation: NOVA's recent surge correlates directly with the weaponization of CVE-2026-50751 (Check Point Security Gateway). Added to the CISA KEV on 2026-06-08, the exploitation of this vulnerability likely facilitated the compromise of the Technology and Logistics victims, which typically deploy robust Check Point perimeter defenses. The use of CVE-2024-1708 (ConnectWise ScreenConnect) indicates lateral movement via compromised IT management tools.
Detection Engineering
The following detection rules are tailored to NOVA's utilization of CVE-2026-50751 and their subsequent lateral movement patterns.
---
title: Potential Check Point IKEv1 Exploitation (CVE-2026-50751)
id: 52b91c7c-8a4d-4f5c-9e1a-2c3d4e5f6a7b
description: Detects potential exploitation of CVE-2026-50751 involving IKEv1 key exchange authentication failures or anomalies.
author: Security Arsenal Research
date: 2026/06/25
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: firewall
service: checkpoint
detection:
selection:
service|contains: 'ike'
action: 'accept' or 'drop'
details|contains:
'ike failure'
'auth failure'
'payload malformed'
condition: selection
falsepositives:
- Misconfigured VPN clients
- Legacy VPN interoperability issues
level: high
tags:
- attack.initial_access
- cve.2026.50751
- nova
---
title: Suspicious ScreenConnect Path Traversal Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects potential path traversal exploitation attempts on ConnectWise ScreenConnect (CVE-2024-1708).
author: Security Arsenal Research
date: 2026/06/25
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: web server
service: iis or apache
detection:
selection_uri:
cs-uri-query|contains:
- '..%2f'
- '..\'
- '%255c'
selection_screenconnect:
cs-uri-query|contains:
- 'ScreenConnect'
- 'Guest.ashx'
- 'Host.ashx'
condition: all of selection_*
falsepositives:
- Scanning activity
level: critical
tags:
- attack.initial_access
- attack.execution
- cve.2024.1708
- nova
---
title: NOVA Ransomware Pre-Encryption Staging Behavior
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
description: Detects patterns consistent with NOVA staging including mass file copying and shadow copy deletion via vssadmin.
author: Security Arsenal Research
date: 2026/06/25
logsource:
product: windows
service: security
detection:
selection_vss:
EventID: 4688
NewProcessName|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
selection_robocopy:
EventID: 4688
NewProcessName|endswith: '\robocopy.exe'
CommandLine|contains:
- '/E'
- '/COPYALL'
- '/ZB'
condition: 1 of selection_
falsepositives:
- Legitimate system administrator backups
level: high
tags:
- attack.impact
- attack.t1490
- nova
KQL Hunt Query (Microsoft Sentinel)
Hunt for lateral movement indicators often seen post-initial access in NOVA campaigns, specifically looking for remote service execution.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wmiprvse.exe") or InitiatingProcessAccountName contains "ADMIN"
| where FileName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe")
| where ProcessCommandLine has "process call create" or ProcessCommandLine has "accepteula" or ProcessCommandLine has "-s"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| extendentropy = sha256(ProcessCommandLine)
PowerShell Hardening Script
Rapid response script to enumerate scheduled tasks created in the last 7 days (a common persistence mechanism for NOVA) and check the status of Volume Shadow Copies.
<#
.SYNOPSIS
NOVA Ransomware Rapid Response Check
.DESCRIPTION
Checks for recently created scheduled tasks and Volume Shadow Copy status.
#>
Write-Host "[+] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
$DateThreshold = (Get-Date).AddDays(-7)
$SuspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $DateThreshold -and $_.Author -notlike "*Microsoft*" -and $_.Author -notlike "*N-able*" }
if ($SuspiciousTasks) {
Write-Host "[ALERT] Found suspicious scheduled tasks:" -ForegroundColor Red
$SuspiciousTasks | Format-List TaskName, Author, Date, TaskPath, Actions
} else {
Write-Host "[OK] No suspicious recent scheduled tasks found." -ForegroundColor Green
}
Write-Host "[+] Checking Volume Shadow Copy (VSS) Storage..." -ForegroundColor Cyan
try {
$vss = vssadmin list shadows
if ($vss -match "No shadow copies found") {
Write-Host "[WARNING] No Shadow Copies exist. Backup may be compromised." -ForegroundColor Yellow
} else {
Write-Host "[OK] Shadow Copies are present." -ForegroundColor Green
}
} catch {
Write-Host "[ERROR] Could not query VSS." -ForegroundColor Red
}
# Incident Response Priorities
1. **T-Minus Detection Checklist:**
* Inspect Check Point Security Gateway logs for IKEv1 anomalies or spikes in failed authentication requests matching CVE-2026-50751 indicators.
* Audit ConnectWise ScreenConnect logs for successful logins from unusual geolocations or times.
2. **Critical Assets for Exfiltration:**
* NOVA aggressively targets **Customer Databases (SQL)** and **Intellectual Property repositories**. Prioritize isolation of database servers and file shares containing blueprints or logistics data.
3. **Containment Actions (Order of Urgency):
1. **Disconnect VPN concentrators** (specifically Check Point) from the internet if patches for CVE-2026-50751 are not verified.
2. **Disable ScreenConnect services** immediately until verified clean.
3. **Revoke and rotate** credentials for service accounts used on the perimeter devices.
# Hardening Recommendations
**Immediate (24h):**
* **Patch CVE-2026-50751:** Apply the Check Point hotfix immediately. This is the primary IAV for the current campaign.
* **Patch CVE-2024-1708:** Ensure ScreenConnect instances are updated to the latest patched version.
* **Block Internet Access to Management Interfaces:** Restrict access to Cisco FMC and Check Point management consoles to internal subnets or strict VPN IP ranges via firewall ACLs.
**Short-term (2 weeks):**
* **Network Segmentation:** Enforce strict isolation between the IT management network (where ScreenConnect/RMM tools live) and the Operational Technology (OT) or Logistics networks.
* **Implement MFA for All Remote Access:** Ensure phishing-resistant MFA (FIDO2) is enforced on all VPN and RMM entry points.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.