Skip to content
Ransomware group

Nova

Nova is a ransomware-as-a-service (RaaS) operation formerly known as RALord, first observed in late March 2025 and rebranded in April 2025.

Profile source: Mallory opens in a new tab

Nova

Family profile

Nova is a ransomware-as-a-service (RaaS) operation formerly known as RALord, first observed in late March 2025 and rebranded in April 2025. It is described as reportedly based on Babuk source code and uses a double-extortion model: encrypting victim files while also exfiltrating data and pressuring victims through Tor-based leak and negotiation infrastructure, including a "Nova Access Portal," countdown timers, and proof-of-theft postings. Nova has claimed victims across multiple continents and sectors, including healthcare, education, hospitality, IT services, media and entertainment, construction, agriculture, and professional services. Reported victims or claimed victims in the provided content include Eurofins subsidiary Clinical Diagnostics, a South Korean university, Dutch software firm FysioRoadmap, and KPMG Netherlands, although KPMG publicly denied compromise.

The malware is described as a Rust-based cross-platform ransomware supporting Windows, Linux, and VMware ESXi. Reported payload variants append extensions including .nova, .RALord, .ralord, .LORD, .RNOVA, .happy11, and .KARMA. Nova is said to open a console via conhost.exe, scan for files to encrypt, target virtual disk formats such as .vhd, .vhdx, and .vmdk, and drop ransom notes including randomized README-[12 random alphanumeric characters].txt files and HOW_TO_RECOVER_DATA.html. Encryption is reported to use AES-256-CBC with per-file keys wrapped by RSA-2048, while some variants reportedly use RC4 for faster encryption of large files.

Initial access and post-compromise behavior described in the content include use of compromised VPN or RDP credentials, credential stuffing, password reuse, initial access brokers, exploitation of public-facing applications, and spearphishing. Nova affiliates are reported to execute payloads via PowerShell and cmd.exe, use LOLBins, establish persistence through HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run and scheduled tasks, force Safe Mode with Networking using bcdedit /set {default} safeboot network, and maintain access with legitimate remote tools such as PuTTY, AnyDesk, and LogMeIn. Additional reported behaviors include credential dumping from LSASS using Mimikatz or Procdump, theft of browser and Windows Credential Manager data, network and system discovery, lateral movement via RDP, SMB admin shares, WMI/WMIC, pass-the-hash, and SSH to ESXi hosts, deletion of shadow copies with vssadmin.exe Delete Shadows /all /quiet and wmic shadowcopy delete /nointeractive, and targeting of backup platforms including Veeam, Commvault, and Acronis.

The operation is described as recruiting affiliates on darknet forums including RAMP and DarkForums under the username "ForLord," offering an 85/15 revenue split and low-cost locker access. The content also notes an operational mistake in which Nova reportedly targeted Eriell Group, a CIS-linked company, after which the responsible affiliate was allegedly banned and Nova publicly apologized. Indicators mentioned in the content include onion infrastructure such as novavdivko2zvtrvtllnq45lxhba2rfzp76qigb4nrliklem5au7czqd.onion and novadmrkp4vbk2padk5t6pbxolndceuc7hrcq4mjaoyed6nxsqiuzyyd.onion, the Telegram handle @NovaSupport, the registry artifact HKLM\\SOFTWARE\\NovaRansom, and sample hashes including SHA-256 456b9adaabae9f3dce2207aa71410987f0a571cd8c11f2e7b41468501a863606 and MD5 values ef846baabc14fe461cff4c4a0fd5056f, be15f62d14d1cbe2aecce8396f4c6289, and 4566f5ba6d1a1db0dd7794ea8d791b3f.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Tox

1 total
  • 8E9A6195A769FE7115F087C61D75CF32874C339B3AB0947D07480C9A8A12DA5009151BE6A51F

Session

1 total
  • 054f55ec93aca9bac362b9d91eff36a7ce451e7caba47c0b2e004ba429f9529c79

Ransomware.live

Recent claims

All published claims ↗

MITRE ATT&CK

Nova in ATT&CK

5 distinct techniques

Reporting

Research mentioning Nova

Jul 7
Hackers Arise

Cryptocurrency Drainers: How Hackers Steal Cryptocurrency - Hackers Arise

The biggest drainers active in 2024 had names like Angel, Inferno, Ping, Ace, Cerberus, Nova, Medusa, MS, CryptoGrab, and Venom.

Jun 16
Cysecurity News

Ransomware Gang Apologizes After Mistakenly Attacking CIS Company and Revealing Criminal Errors - CySecurity News - Latest Information Security and Hacking Incidents

A misstep by Nova, tied to the RAlord network, led to unintended consequences. Following an accidental hit on Eriell Group... affiliates backtracked publicly.

Apr 8
Register Security

Ransomware knocks Dutch healthcare software vendor offline • The Register

The country suffered one of its worst breaches in 2025 after a Nova ransomware attack on Eurofins subsidiary Clinical Diagnostics, a cancer-screening laboratory.

Apr 8
Register Security

Ransomware knocks Dutch healthcare software vendor offline • The Register

The country suffered one of its worst breaches in 2025 after a Nova ransomware attack on Eurofins subsidiary Clinical Diagnostics, a cancer-screening laboratory.

Feb 17
Securelist

Keenadu the tablet conqueror and the links between major Android botnets | Securelist

"The Nova (Phantom) clicker... Dr. Web named it Phantom, the C2 server refers to it as Nova..."

Jan 27
Scworld

KPMG refutes alleged Nova ransomware hack of Dutch branch | SC Media

"UK multinational professional services network KPMG has repudiated claims made by the Nova ransomware gang purporting the breach of KPMG Netherlands..."

Jan 26
Cyber Security News

Nova Ransomware Allegedly Claiming Breach of KPMG Netherlands

A major accounting firm in the Netherlands has reportedly become the latest victim of Nova, an active ransomware operation.

Jan 26
Redpiranha News

Threat Intelligence Report January 20 to January 26, 2026

Nova (formerly RALord) is a Ransomware-as-a-Service (RaaS) operation first observed in late March 2025 under the name RALord, rebranding to Nova in April 2025.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.