RALord
RALord is an emerging ransomware operation first observed in early 2025. Reporting later references the group as NOVA, indicating a rebrand from RALord to NOVA and identity fluidity across the operation; content also describes Nova as an affiliate program or partnership program associated with the RALord crew. RALord/NOVA is described as a closed group rather than a public ransomware-as-a-service operation in some reporting, though other reporting discusses NOVA RaaS publicly in April 2025 and a NOVA partnership panel. The group has been associated with double extortion activity and with encrypted file extensions ".RALord" and ".ralord," along with ransom notes following the pattern "README-[random_string].txt." The content states that RALord/NOVA emerged or became newly prominent in 2025 and was among the most active ransomware groups targeting MSPs and telecom providers in the first half of 2025. It is also described as launching a concentrated attack on the Middle East, with Asia-Pacific and the Middle East noted as focal regions in related reporting. Victim claims cited in the content include Centrale Nantes, Tomio Ingeniería S.A., IHARA Defensivos Agricolas, Formosa Chang, Pere Claver Group, and Al Hejailan. ASEC reporting also noted a South Korean university listed as a NOVA victim. One reported incident involved a Nova affiliate mistakenly targeting Eriell Group, an oilfield services company headquartered in Uzbekistan with a corporate office in Moscow. According to the content, Nova issued a formal apology, said the responsible affiliate was banned, promised free recovery assistance, claimed no files were encrypted, and pledged not to leak stolen data. This incident is presented in the context of Russian-speaking ransomware crews avoiding Russia and other CIS targets. Known alias: NOVA.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Energy
Where they target
Geographies tied to known operations.
- 🇺🇿 Uzbekistan
- 🇷🇺 Russia
Where they're from
Attributed origin per open-source reporting.
- RU
Tradecraft
2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware crew whose affiliate program accidentally infected a CIS-linked company, then apologized, promised recovery assistance, and said it would not leak stolen data.
Ransomware brand that appears to have rebranded/overlapped with NOVA; emphasizes brand mutation and RaaS-like design patterns (extensions/ransom-note conventions) and leak-site operations.
Ransomware operation characterized by rebranding/brand mutation (NOVA/RALord), with indicators consistent with common RaaS design practices and leak-site driven extortion.
Named as a new ransomware variant/gang emerging in 2024 and associated with victim claims posted in March 2024.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.