Last night, DataBreaches received a tip about a website with a new report exposing the Nova RaaS gang (“Nova”). Nova (formerly known as RALord) is a ransomware-as-a-service (RaaS) group. The ransomware, reportedly based on Babuk source code, encrypts victims’ files and then attempts to extort them into paying for a decryptor and for data deletion.
The report is the result of a collaboration between CBSecurity and Dos-Op.io, with the latter conducting all of the research.
DataBreaches responded to the tip and was able to ask “Marcus” from CBSecurity for some additional details.
According to Marcus, a few people from dos-op.io conducted all of the research, which took approximately two months. “Mistakes in Nova’s network configuration exposed additional attack surfaces and revealed their backend addresses,” Marcus informed DataBreaches.
The first part of the report contains a Maltego analysis and some preliminary infrastructure and personal information on the administrators and recruiters.
Aliases (4)
AlexL101m3
ForLord – Recruiter | admin | forum ops
RALord-RaaS – Recruiter | admin | forum ops
jhonkarryNames:
Алексей Alex – Recruiter | admin | forum ops
“Alex,” who lists their location as London, maintains the “ForLord” github repositories. “ForLord” was also the username for the group’s protonmail account.
A preliminary version of the first part of the planned three-part report can be found at cbsecurity.net. According to Marcus, the second and third parts of the report will include information on about 12 Nova affiliates.
DataBreaches asked whether Nova ever detected the attackers. “Maybe you should ask their admin,” Marcus replied, “because the next two leaks will make his hair fall out.”
But why target Nova? Marcus responded, “Their awful rules to affiliates and just the ethics of ransoming. We find it highly disgusting.” It is not clear to DataBreaches what makes Nova any more disgusting than other ransomware gangs that also attack the medical and education sectors, but the report specifically mentions those sectors. In August, DataBreaches reported on one of Nova’s attacks involving a medical target where they appeared to violate the agreement they made with the victim who paid them not to disclose data from 485,000 Dutch women who had been screened for cervical cancer. Nova’s attempts to clarify why they publicly raised the ransom demand after the victim paid, and then why their threat wasn’t really a threat created confusion and stress for the victim and affected patients.
As of publication, Nova appears to be frequently updating/changing their dark web leak site, but they post no contact information on it.
About CBSecurity and Dos-OP
Because both CBSecurity and Dos-OP were new to DataBreaches, Marcus was asked whether he would reveal anything about who is behind it and running it. He responded, “CBSecurity.net is a fully anonymous news and investigations outlet. No one is behind it.”
There are no named individuals behind Dos-OP either, it seems. Dos-OP advertises itself as a service providing OSINT cyber intelligence, automated threat hunting, and comprehensive digital investigations. Currently, its main product is “Smart Search.”
DataBreaches asked whether CBSecurity is currently collaborating with Dos-OP to investigate any other ransomware gangs. Marcus stated, “Yes, we are constantly targeting criminals and public figures of interest in collaboration with dos-op.io. In a past collaboration, we also reported a serious bug in wix’s Base44 app, which exposed all users’ data to exfiltration.”
Contacting Nova and Dos-OP
DataBreaches emailed Nova last night at its previously listed email address to ask them for their response to the report’s claims and attributions, but the email bounced back. DataBreaches left a friend request for them on Qtox, but they do not appear to have logged in to it by publication. DataBreaches found that their “BlackBeard” account on one Russian-language forum was recently banned, and we could not find them on a second Russian-language forum or actively on X.com. This post will be updated if Nova responds or contacts this site.
Marcus tells DataBreaches that the second part of the report should be released in about 10 days. Of note, Marcus claims that CBSecurity and Dos-OP have already sent detailed information to some law enforcement agencies, and the information will also be sent to other law enforcement agencies as well.
Dos-Op has contact info listed on its website. They have also created a Telegram channel and a Telegram chat channel.
This post was edited post-publication to correct a statement about information having been sent to certain law enforcement agencies.
