Nova

Nova is a ransomware-as-a-service (RaaS) group, formerly known as RALord, and is described as tied to the RALord network. The group uses double-extortion tactics, with reporting stating it encrypts victim files and threatens to leak stolen data if payment is not made. One report states the ransomware is based on Babuk source code. Known aliases and related names directly mentioned in the content include RALord, RALord-RaaS, and Nova; additional names listed in reporting about the group’s administrators or recruiters include AlexL101m3, ForLord, jhonkarry, and Alex/Aлексей. The content places Nova among active ransomware operators in 2025-2026 and repeatedly describes it as targeting organizations in healthcare, manufacturing, education, professional services, and industrial sectors. Reported victims or claimed victims mentioned in the content include Clinical Diagnostics in the Netherlands, FysioRoadmap, KPMG Netherlands, a South Korean industrial equipment manufacturer, and a South Korean university. Quorum Cyber reporting cited in the content says Nova accounted for 10% of observed ransomware activity affecting higher education during the measured period. Other reporting cited in the content says Nova continued publishing victims from healthcare, manufacturing, and education. The group is linked in the content to several incidents in the Netherlands. Nova was reported to have attacked Clinical Diagnostics, affecting more than 850,000 people, and FysioRoadmap, exposing data from more than 20,000 patients. Multiple items state Nova claimed KPMG Netherlands on its leak site and threatened publication within 10 days, although KPMG later stated that its IT infrastructure and security systems had not been compromised. The content also states Nova threatened to leak data stolen from a lab and that Nova exfiltrated patient data during a July ransomware attack. Operationally, the content describes Nova as maintaining dark web leak infrastructure and, in one report, multiple Tor-based command-and-control or leak-site elements using standardized uvicorn-based backend deployment. Another report states Nova’s infrastructure was exposed due to network-configuration mistakes that revealed backend addresses and additional attack surfaces. The content also notes Nova’s leak site changes frequently. The content describes Nova as active in underground criminal ecosystems, including use of the RAMP forum, where Nova publicly chastised another group, Radiant, for leaking children’s data. Separate reporting states Nova also chastised an affiliate after an accidental hit on Eriell Group, a CIS-linked business; the content says Nova publicly backtracked, claimed encryption did not occur and data was not published, and reportedly banned the responsible operator. Reporting cited in the content also says that after the RAMP takedown, groups such as Nova were reportedly shifting activity toward Rehub. Overall, the content consistently characterizes Nova as a financially motivated ransomware operator rather than a nation-state actor.