NOVA ransomware has operated under that name since approximately April 2025, when the group rebranded from RALord — a name it had used since at least mid-2024. The rebranding was not accompanied by significant technical changes, but it appears to have coincided with a recruitment push for new affiliates and an expanded target set.
By early 2026, NOVA had claimed over 100 confirmed victims across five continents. That places it in the mid-tier of the current ransomware ecosystem — not in the same bracket as RansomHub or LockBit by volume, but consistent enough to warrant tracking.
Technical Profile
Language and platform: NOVA’s encryptor is written in Rust. The choice is deliberate: Rust binaries are significantly harder to reverse-engineer than equivalent C or C++ code, and the language’s memory safety model eliminates an entire class of runtime errors that might interfere with encryption operations. The encryptor runs on Windows, Linux, and VMware ESXi environments — the ESXi targeting reflects the sector’s shift toward virtualised infrastructure and the high leverage of encrypting hypervisor hosts.
Encryption approach: The group uses a hybrid encryption scheme combining symmetric encryption for speed with asymmetric encryption for key protection. The private decryption key is held by the operators, not embedded in the binary — which means generic decryptors are not viable without law enforcement access to the key material.
Exfiltration before encryption: NOVA follows the standard double-extortion model. Data is exfiltrated to operator-controlled infrastructure before encryption begins. The group operates a clearnet leak site where victim data is published if the ransom is not paid within the deadline.
Initial Access Methods
NOVA relies primarily on compromised VPN and RDP credentials as its initial access vector. The group sources these through:
- Credential stuffing: Automated attacks against internet-facing VPN and Remote Desktop services using credential lists from prior data breaches
- Initial Access Brokers: NOVA affiliates purchase pre-compromised access from IAB markets on criminal forums, particularly for targets in high-value sectors
- Phishing: A secondary vector, less frequently attributed to NOVA than to credential-based access
The implication for defenders is that exposed RDP (port 3389) and VPN services without multi-factor authentication are the primary entry point. Network access without MFA is the single most consistent enabler of NOVA intrusions.
Affiliate Model and Payments
NOVA operates a standard RaaS model. Affiliates receive 85% of ransom payments; the operators retain 15%. The split is competitive within the current market — comparable to RansomHub’s well-publicised 90/10 offering, and more favourable to affiliates than older LockBit arrangements.
Affiliates are recruited through criminal forums and receive access to the NOVA affiliate panel, which provides encryptor builds, victim management, and communication tooling. The group advertises “no targeting restrictions” on most sectors, though it has stated publicly that it does not target schools and non-profit organisations — a positioning similar to several other groups that make such claims with varying degrees of actual adherence.
Victim Profile and Geography
Top sectors: Manufacturing (18 confirmed victims), technology (18), and healthcare (16) as of Q1 2026. Manufacturing and technology reflect the group’s focus on organisations where operational disruption creates payment pressure. Healthcare targeting is consistent across the RaaS ecosystem and reflects the sector’s combination of data sensitivity and operational criticality.
Geography: The United States is the primary target by volume, followed by France, Brazil, and Singapore. The geographic spread is consistent with a group recruiting affiliates internationally rather than operating as a geographically focused campaign.
Notable recent incidents: In May 2026, NOVA claimed responsibility for an attack on the University of Valencia, exfiltrating approximately 300 GB of data. The university stated that only an obsolete research server was affected, though this characterisation is disputed by the group’s leak site publication.
Tactics, Techniques, and Procedures
NOVA TTPs largely follow the standard playbook for modern RaaS operations:
- Initial access via compromised VPN/RDP credentials
- Reconnaissance using built-in Windows tooling and Sysinternals utilities (LOLBAS approach)
- Lateral movement via SMB, PsExec, and RDP
- Privilege escalation targeting local administrator and domain administrator accounts
- Data exfiltration using rclone or custom tooling to NOVA-controlled cloud infrastructure
- Deployment of the Rust encryptor, targeting network shares and mapped drives in addition to local volumes
- ESXi targeting via direct encryptor deployment against virtualisation hosts where hypervisor access is obtained
The use of Rust-based tooling makes static analysis more difficult, but behavioural detection of the lateral movement and exfiltration phases remains effective. The credential-stuffing initial access vector means the first observable anomaly is often an authentication event from an unusual IP address or geography — which is detectable with log monitoring against baseline access patterns.
Defensive Priorities
For organisations in NOVA’s primary target sectors:
Immediate: Require MFA on all VPN and RDP entry points. No credential-based network access without a second factor. This eliminates the group’s primary initial access method.
Short-term: Monitor for anomalous authentication events — logins from new geographies, unusual hours, or unfamiliar IP ranges against VPN and domain accounts. Initial access via IAB-purchased credentials typically comes from IPs not previously associated with the account.
Detection: Look for rclone execution on endpoints and servers. Rclone is heavily used by ransomware affiliates for exfiltration and its process execution and network destinations are distinctive. Sigma rule coverage for rclone and equivalent data transfer tooling provides meaningful pre-ransom detection opportunity.
Backup posture: Ensure backup infrastructure is not accessible from production network. NOVA affiliates, like most RaaS operators, attempt to access and encrypt or delete backups before deploying the main encryptor. Offline or air-gapped backups are the primary recovery mitigation.
NOVA is not the most technically sophisticated operator currently active. It is representative of the mid-tier RaaS ecosystem: competent, operationally active, and entirely capable of causing significant disruption to organisations that have not addressed their basic credential and remote access exposure.