Nova

Nova is a ransomware family and ransomware-as-a-service (RaaS) operation, formerly known as RALord, and described as tied to the RAlord network. Reporting in the provided content states that the ransomware is reportedly based on Babuk source code. Nova encrypts victims’ files and uses double-extortion tactics, attempting to coerce payment for both a decryptor and deletion of stolen data. The group has been associated with leak-site activity on Tor and frequently changing dark web infrastructure; one report also describes distributed onion-based infrastructure and uvicorn-based backend servers.

The content links Nova to attacks and victim claims across multiple sectors, including healthcare, education, professional services, and software. High-confidence examples mentioned include the 2025 attack on Eurofins subsidiary Clinical Diagnostics in the Netherlands, which reportedly resulted in theft of data belonging to almost one million patients, including personal information and medical test results; targeting of Dutch software firm FysioRoadmap, which reportedly exposed information from more than 20,000 patients; a South Korean university listed as a victim; and a claimed breach of KPMG Netherlands, which KPMG publicly denied. The content also states Nova has targeted medical and education sectors and has pursued high-profile corporate victims.

Nova is described as having affiliates and operational rules. One report says Nova mistakenly targeted Eriell Group, a Tashkent-based oilfield services company with operations in Russia, despite the common ransomware norm of avoiding Russian and broader CIS-linked targets. According to that reporting, Eriell contacted Nova, the responsible affiliate was cut off and banned, Nova publicly apologized, and Nova claimed encryption did not occur and data was not published.

The content also references allegations that Nova leaked some Clinical Diagnostics data even after ransom payment, and separately notes an earlier incident involving data from 485,000 Dutch women screened for cervical cancer in which Nova allegedly violated an agreement after payment. Researchers from CBSecurity and Dos-Op.io reportedly investigated Nova and claimed network-configuration mistakes exposed backend addresses and additional attack surfaces. Aliases and related identifiers mentioned in the reporting include RALord, AlexL101m3, ForLord, RALord-RaaS, jhonkarry, BlackBeard, and a recruiter/admin identified as Alex.