Back to Blog

Dark Web Most Wanted: Nova

DarkWebSonar Research Team
June 15, 2026
8 min read
Last updated: June 15, 2026
ransomware dark-web-most-wanted threat-actor

Nova ransomware has logged 129 victim postings across 45 countries since April 2025, with only 13% of victims in the United States. DarkWebSonar telemetry shows a May–June 2026 surge and a RaaS operation rebranded from RALord.

Threat Actor Icon

Nova is one of the fastest-scaling ransomware operations DarkWebSonar tracks, and its victim map looks nothing like the field. Most established groups concentrate heavily on US targets; Akira sits above 60% US victims in comparable DarkWebSonar datasets, PLAY above 84%. Nova sits at 13%. Since April 2025, DarkWebSonar has recorded 129 victim postings across 45 countries. Europe dominates at 41% of incidents with country metadata, but the sharpest anomaly is in the Americas, where Latin America and the Caribbean (19%) outrank North America (14%), an inversion of the US-heavy distribution most leak sites show. The remainder spreads across Southeast Asia, South and Central Asia, East Asia, MENA, and Africa.

This geographic spread, combined with a May–June 2026 acceleration (41 postings in the last 90 days, 30 in the last 30), suggests Nova has moved from launch-phase visibility into sustained RaaS operations with a consistent double-extortion leak-site model.

Key findings from DarkWebSonar telemetry (April 2025–June 2026):

  • 129 ransomware victim postings observed.
  • 45 countries targeted.
  • Top industries: Technology & Telecom, Manufacturing & Construction, Education & Research.
  • Launch spike: 2025-W18 (12 postings, April 28–29, 2025); recent surge: 2026-W21 and 2026-W22 (12 and 9 postings respectively).

Nova is a Ransomware-as-a-Service operation that emerged from the earlier RALord brand in April 2025 before adopting the Nova name. In a May 2025 interview with RedHotCyber, Nova operators described a RaaS model built around encryption tooling, affiliate access, negotiation infrastructure, and technical support.

DarkWebSonar observed Nova gaining visibility through public extortion claims against higher-impact targets, including the City of Pisa in Italy and Clinical Diagnostics NMDL in the Netherlands. We treat these listings as intelligence signals rather than standalone proof of every operational detail. In practice, that means separating what the actor claims from what can be corroborated through victim statements, data exposure, infrastructure changes, and follow-on reporting.

By the Numbers (DarkWebSonar Telemetry)

DarkWebSonar monitors Nova's Tor-based data leak site continuously. The 129 victim postings below reflect what the group chooses to publish; posting volume is a useful proxy for extortion activity and affiliate output, though it undercounts victims who pay quietly or are never listed on the site.

  • Total victim postings (Apr 2025–Jun 2026): 129 across 45 countries; United States victims represent 13% of named targets
  • Recent momentum: 30 of 129 postings landed in the last 30 days (May–June 2026 surge)
  • DarkWebSonar risk score: 100 / 100 (High)
  • Activity classification: Spiked, meaning recent 30-day posting volume significantly exceeds the group's established baseline cadence
  • Primary network: Tor (98% of incidents)

Posting cadence and year-week analysis

When DarkWebSonar telemetry is aggregated by ISO year-week, Nova's activity divides into three observable phases:

  1. Launch burst (2025-W18): 12 postings in the first two days of tracked activity (April 28–29, 2025), consistent with a coordinated debut on the leak site.
  2. Consolidation (May 2025–April 2026): Predominantly single-incident weeks with occasional pairs, averaging roughly one posting per week.
  3. Acceleration (May–June 2026): Sustained multi-victim weeks, peaking at 12 postings in 2026-W21 and 9 in 2026-W22.

Trends

Year-week Victims posted Notes
2025-W18 12 Launch burst (Apr 28–29)
2026-W21 12 Largest recent week
2026-W22 9 Sustained May campaign
2025-W42 5 Mid-October cluster
2026-W20 5 May 19 single-day burst (5 postings)
2025-W25 4 Late June 2025
2025-W43 4 Late October 2025

We assess the May–June 2026 surge reflects expanded affiliate activity, batch publication of victims compromised during the preceding weeks, or both.

Targeting distribution

Nova's victim geography is unusually distributed for a ransomware group active at this volume. Among 126 incidents with country metadata:

Countries

Two features stand out.

  • LATAM & Caribbean (19%) outranks North America (14%), driven by Brazil (11 victims) and Mexico (6). Most ransomware leak-site data skews heavily toward US victims, so a Latin-America-forward distribution is a distinguishing characteristic of Nova's targeting rather than a rounding artifact.
  • The CIS & Russia bucket holds just two incidents, Ukraine (1) and Uzbekistan (1), with no Russian victims. A Russian-speaking operation that posts a Ukrainian victim while avoiding Russia fits the long-observed pattern of CIS-based actors steering clear of domestic targets; the lone Uzbekistan posting is a minor outlier.

Additionally, the United States ranks first among individual countries but represents only 13% of all named victims, a materially lower concentration than the US-heavy distributions of groups like Akira or PLAY noted above.

Industry targeting shows breadth across technology, manufacturing, and education:

Industries

  • Technology & Telecom: 24 (19%)
  • Manufacturing & Construction: 23 (18%)
  • Education & Research: 16 (12%)
  • Healthcare & Pharma: 12 (9%)
  • Hospitality & Food Service: 9 (7%)
  • Government & Defense: 8 (6%)

The education and government concentrations are notable given recent June 2026 postings against Indonesian government agencies and South Korean universities observed in DarkWebSonar telemetry.

Notable posting events

  • Apr 28, 2025 (11 victims posted in a single day; first observed activity)
  • May 19, 2026 (5 victims posted)
  • May 26–30, 2026 (sustained cluster: 3, 2, 3, 1, and 3 postings across five days)
  • Jun 2, 2026 (2 victims: Germany and France manufacturing targets)
  • Jun 5–6, 2026 (India healthcare and Indonesia education targets)
  • Jun 14, 2026 (Indonesia government food-regulatory agency)

Tactics, Techniques & Procedures (TTPs)

Extortion strategy

Nova operates a ransomware-centric model built on encryption and extortion. The techniques inherent to this model, T1486 (Data Encrypted for Impact) and T1490 (Inhibit System Recovery), are consistent with double-extortion operations that pair file encryption with backup disruption and leak-site pressure.

Note

Beyond encryption, Nova applies layered pressure on its leak site, publishing detailed attack writeups on each victim alongside the threat of data release. These per-victim reports, which document the intrusion and exposed data in depth, function as both proof of compromise and reputational leverage, distinguishing Nova's approach from groups that post little more than a victim name and a countdown.

Technical capabilities

Nova's ransomware classification carries the core MITRE techniques common to encryption-based extortion:

  • T1486 Data Encrypted for Impact
  • T1027 Obfuscated Files or Information
  • T1490 Inhibit System Recovery

These reflect the operational model rather than per-incident observation. DarkWebSonar has not observed CVE associations or attributed tooling for Nova in its profile data.

Initial access and business model (open-source reporting)

DarkWebSonar visibility begins at the leak site; initial access and encryptor details below come from public reporting.

Public reporting indicates Nova affiliates gain initial access primarily through compromised VPN and RDP credentials, including credential stuffing, reused passwords, and access purchased from initial access brokers (IABs), with emphasis on exposed remote access lacking multi-factor authentication.

Public reporting documents Nova's RaaS structure under the RALord affiliate brand, including an 85/15 revenue split favoring affiliates and two encryptor variants: a widely distributed .nova affiliate variant and a premium Rust-based variant appending .RALord. The group rebranded from RALord to Nova in April 2025, per Ransomware.live and the RedHotCyber interview.

Evolution & Trends

Nova's operational timeline in DarkWebSonar telemetry aligns with open-source reporting on a rapid RaaS launch:

  • March 2025: RALord affiliate brand first observed (open-source reporting).
  • April 2025: Rebrand to Nova; DarkWebSonar first observed activity on April 28, 2025 (2025-W18 burst of 12 postings).
  • May–October 2025: Steady single-victim cadence with periodic clusters, including the high-profile City of Pisa posting (Italy, May 2025).
  • July 2025: Clinical Diagnostics NMDL, a Eurofins subsidiary (Netherlands), posted as a victim.
  • May–June 2026: Activity acceleration to 30 postings in 30 days; geographic spread extends to Indonesia government agencies, Indian healthcare, and South Korean education targets.

We assess that Nova's targeting reflects deliberate affiliate activity across Europe, Latin America, and Asia, where remote-access exposure remains high or leak-site publication faces less regulatory scrutiny, rather than the US-first focus of most peers. The near-absence of CIS victims (two incidents, no Russian targets) is consistent with a Russian-speaking operation avoiding domestic and allied jurisdictions. Together these patterns warrant global monitoring rather than North America-only threat models.

Notable Campaigns / Victims

Samples

Recent victims observed in DarkWebSonar telemetry (June 2026):

  • Balai Besar POM di Bandung (Indonesia, Government & Defense, food and drug regulatory body; posting dated June 14, 2026)
  • Badan Pangan Nasional (Indonesia, Government & Defense, national food security/food policy agency; posting dated May 29, 2026)
  • Aspire Hospital (India, Healthcare & Pharma, multi‑specialty hospital/healthcare provider in Bhubaneswar; posting dated May 5, 2026)
  • Daegu University (South Korea, Education & Research, higher‑education and research institution; posting dated May 30, 2026)
  • BC3 Tecnologia (Brazil, Technology & Telecom, ERP software provider for the packaging/corrugated industry; posting dated May 30, 2026)
  • IBENA HEIMTEX (Germany, Manufacturing & Construction, textile manufacturer; posting dated May 2, 2026)
  • Everlite Concept (France, Manufacturing & Construction, polycarbonate building solutions manufacturer; posting dated May 2, 2026)
  • Trevi S.p.A. (Italy, Technology & Telecom, consumer electronics company; posting dated June 9, 2026)

DarkWebSonar also tracked two of Nova's highest-profile earlier victims, the City of Pisa (Italy, May 2025) and Clinical Diagnostics NMDL, a Eurofins subsidiary (Netherlands, July 2025), both corroborated in subsequent open-source reporting.

DarkWebSonar Insights

  • Granular regional taxonomy separated Latin America from North America and CIS from Europe, surfacing two signals a coarse five-bucket view erases: LATAM & Caribbean (19%) outranking North America (14%), and a CIS & Russia bucket of just two incidents (Ukraine and Uzbekistan, no Russian victims). Folding these into broad "Americas" and "Europe" buckets would have masked both.
  • Year-week cadence tracking identified the 2026-W21/W22 surge (21 postings in two weeks) while the group remained absent from most quarterly threat reports.
  • Global targeting showed Nova's sub-13% US victim share before regional concentration became visible in aggregate ransomware rankings dominated by North American-focused groups.
  • Sector distribution placed Education & Research (12%) and Government & Defense (6%) above their typical share in ransomware datasets, relevant to sector-specific detection priorities.

Defender Outlook 2026

Persistent risk: Organizations in Technology & Telecom, Manufacturing & Construction, Education & Research, Healthcare, and Government should treat Nova as an active RaaS threat regardless of geography. The group's 45-country footprint means regional SOCs cannot rely on US-centric threat feeds alone.

Tempo: Nova's 2026 activity concentrated sharply in a single multi-week burst (2026-W20 through W22) rather than spreading evenly, with most of its recent volume landing in that span. Whether that reflects a recurring seasonal rhythm or simply batch publication is not yet established from one cycle, but the operational takeaway holds either way: Nova's output arrives in compressed bursts with little lead time, so detection and response readiness matter more than calendar-based monitoring windows. New affiliates can produce additional burst weeks with minimal warning.

Defensive actions:

  • Enforce MFA on all VPN, RDP, and remote access endpoints; prioritize exposed services identified in external attack surface scans.
  • Validate backup isolation and test restoration from air-gapped copies; recovery inhibition (T1490) is inherent to Nova's ransomware model.
  • Establish early warning for your organization's exposure on leak sites, so a Nova listing surfaces before public disclosure rather than after; DarkWebSonar provides this coverage.
  • Segment education and government networks from production environments; recent victims include universities and Indonesian government agencies.
  • Review affiliate-style RaaS indicators (multiple simultaneous victims across geographies) as a signal to escalate incident response readiness.

No public law enforcement actions targeting Nova have been identified as of June 2026; the group remains operationally active on Tor.

Conclusion

Nova represents a globally distributed ransomware RaaS operation that reached 129 DarkWebSonar-tracked victim postings in just 14 months, with only 13% of named victims in the United States. The May–June 2026 acceleration (30 postings in 30 days) and rebranding from RALord indicate a maturing affiliate program, not a fading newcomer.

For defenders, the practical implication is that Nova does not fit the US-centric model most regional threat feeds are built around. A team in Europe, Latin America, or Asia that scopes its threat picture to locally prominent groups will not see Nova coming. The exposure it actually exploits is consistent and addressable: internet-facing VPN and RDP without enforced MFA. Closing that gap is the single highest-value control against this group.

Data notes: Statistics in this profile are derived from DarkWebSonar telemetry on Nova's Tor leak site unless attributed to open-source reporting. Posting dates may lag compromise; batch publication can inflate single-week counts. Country and industry fields reflect leak-site metadata (126 of 129 incidents include country attribution).

👉 Dark Web Most Wanted profiles are powered by DarkWebSonar's continuous monitoring of ransomware leak sites. Want real-time visibility into groups like Nova? Contact Sales.

Ready to enhance your threat intelligence?

Start monitoring dark web threats with DarkWebSonar's comprehensive platform.

Start Free Trial View Pricing

Related Posts

  • Dark Web Most Wanted: MEDUSA

    MEDUSA has established itself as one of the most persistent ransomware groups of 2025, with 201 confirmed victim postings tracked by DarkWebSonar. With 61.7% of victims in the United States and strong targeting of construction, healthcare, and education sectors, MEDUSA represents a critical threat.

  • Dark Web Most Wanted: CL0P

    CL0P remains one of the most dangerous ransomware groups tracked by DarkWebSonar, with 635 victim postings since October 2024 and a sustained January–February 2026 campaign wave. With 68.5% of victims in the United States and heavy targeting of manufacturing, technology, and retail, CL0P represents a critical threat to organizations worldwide.

  • Dark Web Most Wanted: Sinobi Ransomware

    Sinobi ransomware resurged in October 2025 after a brief lull, recording 61 new incidents targeting U.S. construction, healthcare, and manufacturing sectors. DarkWebSonar data reveals its evolution from the Lynx codebase into a mature RaaS operation.