— Nova¶
Threat-actor battle card · maintained from public sources · last updated 2026-06-23 · also known as RALord
Overview¶
Nova (formerly RALord, rebranded approximately April–May 2025) is a ransomware-as-a-service (RaaS) operation using double-extortion — exfiltrate, then encrypt. As of June 2026, ransomware.live tracks 147 claimed victims across 42 countries since first appearing on the threat landscape in May 2025. Nova debuted in the May 2026 top-10 by monthly victim volume (#9 in this tracker). The United States is the primary target (22 victims), followed by France (10) and Brazil (10).
Top targeted sectors: Technology (29), Manufacturing (24), Healthcare (18), Education (17), Business Services (12).
Nova publicly pledges not to target schools or nonprofit organisations. It maintains an explicit CIS-country exclusion (Commonwealth of Independent States — Russia, Ukraine, Kazakhstan, and other former Soviet republics), along with DPRK and China — an exclusion pattern consistent with, though not uniquely indicative of, a Russian-speaking operation. The exclusion is enforced via affiliate agreement: in June 2026, Nova issued a formal public apology after an affiliate violated the rule by encrypting Eriell Group (oilfield services, Uzbekistan); the affiliate was banned and Nova pledged free recovery assistance and no data leak.
Tradecraft¶
- Double-extortion: exfiltrate before encryption; data published on DLS if ransom deadline expires.
- RaaS model: central operators manage the platform, affiliates execute intrusions.
- CIS, DPRK, and China excluded per affiliate contract (enforced with documented affiliate bans).
- Schools and nonprofits excluded per stated policy.
- No confirmed initial-access vector published by authoritative sources — leave
—. - Encryption method, lateral-movement tools, and ransom demand structure:
—(unconfirmed in authoritative sources).
Notable victims¶
- Trevi — construction/engineering/Italy — seen 2026-06-09 — ransomware.live DLS
- SUNASS — government/water regulator/Peru — seen 2026-06-17 — ransomware.live DLS
- Lockers IT — IT services/Bangladesh — seen 2026-06-21 — ransomware.live DLS
- Eriell Group — oilfield services/Uzbekistan — CIS-rule violation; affiliate banned; no leak pledged — 2026-05-26 — Daily Security Review · CiphersSecurity
Assessment¶
Nova is a mid-tier RaaS platform with broad global reach and consistent growth since its May 2025 debut. Its willingness to publicly discipline affiliates for rules violations signals operational maturity and a desire to maintain affiliate trust and plausible deniability. The CIS/DPRK/China exclusion and Russian-language forum activity are suggestive of a Russian-speaking operation, but attribution is unconfirmed. At 147 victims across 42 countries in roughly 13 months of operation, the growth trajectory warrants inclusion in the top-10 watch list; escalation to Tier-1 status depends on June 2026 monthly reporting confirming the count above current top-8 actors.
Sources¶
- ransomware.live — Nova group statistics
- SonicWall — Nova RaaS: The Ransomware That 'Spares' Schools and Nonprofits
- Xcitium ThreatLabs — From RALord to Nova: How This RaaS Gang Is Wreaking Havoc Worldwide
- Daily Security Review — Nova Ransomware Apologizes for CIS Rule Violation
- CiphersSecurity — Nova Ransomware CIS Rule Breach, Affiliate Banned
- Ransom-DB — Nova / RALord Ransomware Group Analysis 2026
🗂️ Attacks & victims¶
All disclosed victims attributed to this actor, newest first.
June 2026