Nova (RALord) Ransomware Group Confirmed Active with 73

Rebranded and Fully Operational

The Nova ransomware group — formerly known as RALord — has been confirmed fully operational as of February 17, 2026, with 73 confirmed victims spread across nearly every continent. The group combines discipline with opportunism, targeting organizations across diverse sectors.

Group Profile

Attribute	Details
Current Name	Nova
Former Name	RALord
Type	Ransomware-as-a-Service (RaaS)
Confirmed Victims	73
Reach	Global — nearly every continent
Tactics	Double extortion (encrypt + exfiltrate + leak)
Latest Activity	February 17, 2026

Double Extortion Model

Nova employs the now-standard double extortion approach:

Encrypt — Lock down victim systems using ransomware payload
Exfiltrate — Steal sensitive data before encryption
Threaten — Demand payment or face public data leak
Leak — Publish stolen data on dedicated leak site if ransom is not paid

Victim Distribution

Nova's targeting shows no particular geographic preference, hitting organizations across:

North America — Largest concentration of victims
Europe — Western European organizations prominently represented
Asia — Growing number of victims in Southeast Asia
South America — Brazil and Argentina targeted
Africa — Emerging targeting in South Africa and Nigeria
Oceania — Australian organizations affected

Evolving Ransomware Landscape

Nova is part of a broader trend where ransomware groups are pivoting tactics as victims increasingly refuse to pay:

Trend	Description
DDoS-as-a-Service	Adding DDoS pressure on top of encryption and data theft
Insider recruitment	Recruiting employees at target organizations for initial access
Gig worker exploitation	Using freelance workers for money laundering and access brokering
Regulatory pressure	Reporting victims to regulators to increase pressure to pay
Customer notification	Directly contacting victim's customers about stolen data

Defensive Recommendations

Immutable backups — Maintain offline, air-gapped backups that cannot be encrypted
Network segmentation — Limit lateral movement paths
EDR/XDR deployment — Detect ransomware behavior before encryption begins
Incident response plan — Have a tested plan specifically for ransomware scenarios
Threat intelligence — Monitor Nova/RALord IOCs and TTPs

With 73 victims in just four months since rebranding, Nova demonstrates that ransomware remains one of the most prolific and profitable cybercrime models in 2026.

Sources

Rebranded and Fully Operational

Group Profile

Attribute	Details
Current Name	Nova
Former Name	RALord
Type	Ransomware-as-a-Service (RaaS)
Confirmed Victims	73
Reach	Global — nearly every continent
Tactics	Double extortion (encrypt + exfiltrate + leak)
Latest Activity	February 17, 2026

Double Extortion Model

Nova employs the now-standard double extortion approach:

Encrypt — Lock down victim systems using ransomware payload
Exfiltrate — Steal sensitive data before encryption
Threaten — Demand payment or face public data leak
Leak — Publish stolen data on dedicated leak site if ransom is not paid

Victim Distribution

Nova's targeting shows no particular geographic preference, hitting organizations across:

North America — Largest concentration of victims
Europe — Western European organizations prominently represented
Asia — Growing number of victims in Southeast Asia
South America — Brazil and Argentina targeted
Africa — Emerging targeting in South Africa and Nigeria
Oceania — Australian organizations affected

Evolving Ransomware Landscape

Nova is part of a broader trend where ransomware groups are pivoting tactics as victims increasingly refuse to pay:

Trend	Description
DDoS-as-a-Service	Adding DDoS pressure on top of encryption and data theft
Insider recruitment	Recruiting employees at target organizations for initial access
Gig worker exploitation	Using freelance workers for money laundering and access brokering
Regulatory pressure	Reporting victims to regulators to increase pressure to pay
Customer notification	Directly contacting victim's customers about stolen data

Defensive Recommendations

Immutable backups — Maintain offline, air-gapped backups that cannot be encrypted
Network segmentation — Limit lateral movement paths
EDR/XDR deployment — Detect ransomware behavior before encryption begins
Incident response plan — Have a tested plan specifically for ransomware scenarios
Threat intelligence — Monitor Nova/RALord IOCs and TTPs

With 73 victims in just four months since rebranding, Nova demonstrates that ransomware remains one of the most prolific and profitable cybercrime models in 2026.

Nova (RALord) Ransomware Group Confirmed Active with 73

Rebranded and Fully Operational

Group Profile

Double Extortion Model

Victim Distribution

Evolving Ransomware Landscape

Defensive Recommendations

Sources

INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023

The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm

Who Runs the Ransomware Group 'The Gentlemen'?

Nova (RALord) Ransomware Group Confirmed Active with 73

Rebranded and Fully Operational

Group Profile

Double Extortion Model

Victim Distribution

Evolving Ransomware Landscape

Defensive Recommendations

Sources

INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023

The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm

Who Runs the Ransomware Group 'The Gentlemen'?

Rebranded and Fully Operational

Group Profile

Double Extortion Model

Victim Distribution

Evolving Ransomware Landscape

Defensive Recommendations

Sources

Related Reading

Rebranded and Fully Operational

Group Profile

Double Extortion Model

Victim Distribution

Evolving Ransomware Landscape

Defensive Recommendations

Sources

Related Reading