RALord
RALord is a ransomware family also referenced in later reporting as NOVA, with reporting describing Nova as a ransomware-as-a-service operation that distributes or operates the RALord/RaLord ransomware. The malware is associated with double extortion: encrypting files, exfiltrating sensitive data, and threatening public leaks to pressure victims. Reporting states Nova/RALord encryptors are written in Rust. Observed encrypted file extensions include .RALord, .ralord, and in Nova-linked reporting .RNOVA. Reported ransom note naming includes README-[random_string].txt and README-Nova. Victims are directed to communicate via private messengers such as Tox or Session, and the operators reportedly prefer negotiated payments over fixed-payment instructions. The group has been described as targeting multiple sectors including healthcare, IT, manufacturing, telecom, education, and construction. Public reporting cited in the content places Nova/RALord activity beginning in or being publicly discussed in April 2025, with ransomware.live reporting 37 Nova victims since surfacing in April 2025; other reporting characterizes RALord as a lower-volume group with incident counts in the single digits. The content links Nova/RALord to a July 2025 attack on Dutch medical lab Clinical Diagnostics, where stolen patient data was threatened for leak, and to an incident involving Eriell Group in which a Nova affiliate reportedly made an erroneous targeting decision. The content also states that RaLord/RALord is considered a successor or offshoot of the former RA Group. No credible evidence of nation-state linkage is provided in the content; instead, the operation is characterized as financially motivated criminal ransomware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Nova is a relative newcomer that some security researchers say distributes the RALord ransomware to encrypt files, exfiltrate sensitive data and use double extortion tactics to pressure victims."
Nova is a relative newcomer that some security researchers say distributes the RALord ransomware to encrypt files, exfiltrate sensitive data and use double extortion tactics to pressure victims.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware operation discussed in the context of an affiliate mistakenly targeting a CIS-based company, then apologizing and offering recovery assistance.
Ransomware family/brand involved in rebranding (NOVA/RALord) with common RaaS-style extension and ransom-note naming conventions.
Ransomware/RaaS brand noted for rebranding/identity fluidity (NOVA/RALord), with common RaaS-style extension and ransom-note naming patterns.
Low-volume ransomware brand referenced as part of the long-tail of operators.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.