Skip to content
Ransomware group

RALord

RALord is a ransomware family also referenced in later reporting as NOVA, with reporting describing Nova as a ransomware-as-a-service operation that distributes or operates the RALord/RaLord ransomware.

Profile source: Mallory opens in a new tab

RALord

Family profile

RALord is a ransomware family also referenced in later reporting as NOVA, with reporting describing Nova as a ransomware-as-a-service operation that distributes or operates the RALord/RaLord ransomware. The malware is associated with double extortion: encrypting files, exfiltrating sensitive data, and threatening public leaks to pressure victims. Reporting states Nova/RALord encryptors are written in Rust. Observed encrypted file extensions include .RALord, .ralord, and in Nova-linked reporting .RNOVA. Reported ransom note naming includes README-[random_string].txt and README-Nova. Victims are directed to communicate via private messengers such as Tox or Session, and the operators reportedly prefer negotiated payments over fixed-payment instructions. The group has been described as targeting multiple sectors including healthcare, IT, manufacturing, telecom, education, and construction. Public reporting cited in the content places Nova/RALord activity beginning in or being publicly discussed in April 2025, with ransomware.live reporting 37 Nova victims since surfacing in April 2025; other reporting characterizes RALord as a lower-volume group with incident counts in the single digits. The content links Nova/RALord to a July 2025 attack on Dutch medical lab Clinical Diagnostics, where stolen patient data was threatened for leak, and to an incident involving Eriell Group in which a Nova affiliate reportedly made an erroneous targeting decision. The content also states that RaLord/RALord is considered a successor or offshoot of the former RA Group. No credible evidence of nation-state linkage is provided in the content; instead, the operation is characterized as financially motivated criminal ransomware.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Md5

2 total
  • be15f62d14d1cbe2aecce8396f4c6289
  • 4566f5ba6d1a1db0dd7794ea8d791b3f

Tox

2 total
  • 8E9A6195A769FE7115F087C61D75CF32874C339B3AB0947D07480C9A8A12DA5009151BE6A51F
  • 0C8E5B45C57AE244E9C904C5BC74F73306937469D9CEA22541CA69AC162B8D42A20F4C0382AC

Ip

1 total
  • 144.172.95.78

Session

1 total
  • 054f55ec93aca9bac362b9d91eff36a7ce451e7caba47c0b2e004ba429f9529c79

Reported operators

Threat actors

2 named in public reporting
Nova

"Nova is a relative newcomer that some security researchers say distributes the RALord ransomware to encrypt files, exfiltrate sensitive data and use double extortion tactics to pressure victims."

RA Group

Nova is a relative newcomer that some security researchers say distributes the RALord ransomware to encrypt files, exfiltrate sensitive data and use double extortion tactics to pressure victims.

MITRE ATT&CK

RALord in ATT&CK

1 distinct techniques

Reporting

Research mentioning RALord

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.