Md5
2 totalbe15f62d14d1cbe2aecce8396f4c62894566f5ba6d1a1db0dd7794ea8d791b3f
RALord is a ransomware family also referenced in later reporting as NOVA, with reporting describing Nova as a ransomware-as-a-service operation that distributes or operates the RALord/RaLord ransomware.
Profile source: Mallory opens in a new tabRALord
RALord is a ransomware family also referenced in later reporting as NOVA, with reporting describing Nova as a ransomware-as-a-service operation that distributes or operates the RALord/RaLord ransomware. The malware is associated with double extortion: encrypting files, exfiltrating sensitive data, and threatening public leaks to pressure victims. Reporting states Nova/RALord encryptors are written in Rust. Observed encrypted file extensions include .RALord, .ralord, and in Nova-linked reporting .RNOVA. Reported ransom note naming includes README-[random_string].txt and README-Nova. Victims are directed to communicate via private messengers such as Tox or Session, and the operators reportedly prefer negotiated payments over fixed-payment instructions. The group has been described as targeting multiple sectors including healthcare, IT, manufacturing, telecom, education, and construction. Public reporting cited in the content places Nova/RALord activity beginning in or being publicly discussed in April 2025, with ransomware.live reporting 37 Nova victims since surfacing in April 2025; other reporting characterizes RALord as a lower-volume group with incident counts in the single digits. The content links Nova/RALord to a July 2025 attack on Dutch medical lab Clinical Diagnostics, where stolen patient data was threatened for leak, and to an incident involving Eriell Group in which a Nova affiliate reportedly made an erroneous targeting decision. The content also states that RaLord/RALord is considered a successor or offshoot of the former RA Group. No credible evidence of nation-state linkage is provided in the content; instead, the operation is characterized as financially motivated criminal ransomware.
Ransomware.live
Ransomware.live
be15f62d14d1cbe2aecce8396f4c62894566f5ba6d1a1db0dd7794ea8d791b3f8E9A6195A769FE7115F087C61D75CF32874C339B3AB0947D07480C9A8A12DA5009151BE6A51F0C8E5B45C57AE244E9C904C5BC74F73306937469D9CEA22541CA69AC162B8D42A20F4C0382AC144.172.95.78054f55ec93aca9bac362b9d91eff36a7ce451e7caba47c0b2e004ba429f9529c79Reported operators
"Nova is a relative newcomer that some security researchers say distributes the RALord ransomware to encrypt files, exfiltrate sensitive data and use double extortion tactics to pressure victims."
Nova is a relative newcomer that some security researchers say distributes the RALord ransomware to encrypt files, exfiltrate sensitive data and use double extortion tactics to pressure victims.
MITRE ATT&CK
Reporting
Nova, the affiliate program for ransomware crew RAlord, on Tuesday issued an apology to Eriell Group...
“RALord (also referenced as NOVA in later reporting)… Encrypted extension: .RALord … Nova as formerly known as RALord”
“Lower-volume Groups… including … RALord… recorded 2–4 incidents…”
"Nova is a relative newcomer that some security researchers say distributes the RALord ransomware to encrypt files, exfiltrate sensitive data and use double extortion tactics to pressure victims."
"Nova is a relative newcomer that some security researchers say distributes the RALord ransomware to encrypt files, exfiltrate sensitive data and use double extortion tactics to pressure victims."
“RALord… reported 8 incidents…”
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.