Full Report
Last night, DataBreaches received a tip about a website with a new report exposing the Nova RaaS gang (“Nova”). Nova (formerly known as RALord) is a ransomware-as-a-service (RaaS) group. The ransomware, reportedly based on Babuk source code, encrypts victims’ files and then attempts to extort them into paying for a decryptor and for data deletion.... Source
Analysis Summary
# Threat Actor: Nova RaaS Gang
## Attribution & Identity
* **Primary Identification:** Nova RaaS gang ("Nova").
* **Known Aliases/Previous Name:** Formerly known as RALord.
* **Associated Infrastructure/Personnel Aliases:**
* AlexL101m3
* ForLord (Recruiter, admin, forum ops, associated with a specific GitHub and ProtonMail account)
* RALord-RaaS (Recruiter, admin, forum ops)
* jhonkarry
* "Alexey Alex" (Associated with London, Recruiter, admin, forum ops)
* **Internal Motivation for Targeting (Reported):** The investigators (CBSecurity/Dos-Op) cited Nova's "awful rules to affiliates and just the ethics of ransoming" as motivation for exposing them.
## Activity Summary
The group operates as a Ransomware-as-a-Service (RaaS) operation. The information comes from a research report produced collaboratively by CBSecurity and Dos-Op.io over two months. Nova has a history of non-adherence to negotiated terms, highlighted by an August incident where they allegedly violated an agreement with a medical victim by demanding a higher ransom after payment and then threatening to release data belonging to 485,000 Dutch women. Nova appears to be actively managing and frequently updating/changing their dark web leak site.
## Tactics, Techniques & Procedures
- **Ransomware Operation:** Operates a Ransomware-as-a-Service model.
- **Extortion Strategy:** Encrypts victim files and then attempts to extort payment for both the decryptor and for data deletion (double extortion practices).
- **Infrastructure Discovery:** Investigators exploited mistakes in Nova’s network configuration which exposed backend addresses.
- **Malware Base:** The ransomware is reportedly based on Babuk source code.
- **Information Sharing:** Investigators have shared findings with Law Enforcement Agencies (LEA) in Russia, the U.K., and the U.S.
- **Affiliate Structure:** Plans to release details on approximately 12 known Nova affiliates in subsequent reports.
## Targeting
* **Sectors:** Medical and Education sectors are specifically mentioned in connection with Nova's activities.
* **Geography:** Involved in an incident impacting data related to Dutch women.
* **Victims:** Mentioned a specific incident involving a clinical diagnostics company handling data from 485,000 Dutch women.
## Tools & Infrastructure
* **Malware Families Used:** Ransomware based on Babuk source code.
* **Infrastructure (C2, domains, IPs):**
* Maintains a dark web leak site (no contact information posted on it).
* Uses a "ForLord" ProtonMail account.
* Associated with GitHub repositories under the "ForLord" username.
* Previously used Qtox for potential communication.
* Had accounts on Russian-language forums (one account, "BlackBeard," was recently banned on one forum).
## Implications
Nova is an established RaaS operation utilizing known code bases (Babuk) and employing double extortion tactics. Their aggressive and seemingly unreliable adherence to negotiation terms poses a significant risk to victims, potentially leading to unpredictable data leakage schedules even post-payment. The impending release of affiliate details suggests a large, active network whose operations may be severely disrupted by the investigative findings.
## Mitigations
- **Network Security:** Review internal network configurations for potential public exposure of backend addresses, as misconfigurations were exploited to discover Nova's infrastructure.
- **Incident Response:** Be aware that paying a ransom may not guarantee data deletion or adherence to agreed-upon terms, based on past documented behavior.
- **Monitoring:** Monitor for new reports or communications from the group, as they are actively updating their leak site and planning follow-up disclosures.