New Ransomware Group "NOVA" Emerges, Latest Target Municipality of Pisa

A new ransomware group calling themselves “NOVA” has surfaced, marking its first known victim on March 25, 2025. Since then, the group has claimed responsibility for attacks on 18 entities, with the latest being the Municipality of Pisa in Italy, highlighting a growing concern in the cybersecurity world.

Ransomware, for those unfamiliar, is a type of malicious software that cybercriminals use to hold a victim’s files hostage. Imagine someone breaking into your digital house, locking up all your important documents and photos in a super-strong safe, and then demanding money to give you the key. That’s essentially what ransomware does. These groups encrypt a victim’s data, making it inaccessible, and then demand a ransom payment, often in cryptocurrency, to restore access.

Who is NOVA and How Do They Operate?

NOVA appears to be operating on a “Ransomware-as-a-Service” (RaaS) model. This means the core NOVA group develops the ransomware tools and infrastructure, and then sells or leases access to these tools to other cybercriminals, known as “affiliates.

In their own words, NOVA states, “Our Services we provide our services to our affiliates , Login to your panel to start work or requast to join ,join fee 200 euro (220 USD) and decryptor 10% (Basic price).” This indicates that affiliates pay an initial fee to join and then give NOVA a 10% cut of any ransom payments they successfully extort from victims.

The group claims their ransomware can target various systems, including:

• Linux servers: Commonly used for web servers and databases.
• VM ESXi servers: These are used for virtualization, meaning they can host multiple “virtual” computers. Hitting these can be devastating as it can take down many systems at once.  
• Windows computers: They specify different capabilities based on the level of access achieved. With basic “user permission,” the ransomware has limited features. However, with “admin permission,” it can:
  – Generate the ransom note (the “readme” file).
  – Change the computer’s desktop background (often to display a warning or ransom demand).Stop security programs and other important tasks.
  – Delete backups, making it harder for victims to recover without paying.

NOVA actively recruits these affiliates, offering a “lifetime” membership for around $220, payable in cryptocurrencies like Monero (XMR), Bitcoin (BTC), and Ethereum (ETH). They provide affiliates with a control panel to manage their attacks and a secure chat system for communication and negotiation with victims. Interestingly, they also mention a vetting process: “we also will verify you if you are researcher or white hat or law inforcemnt , if you are not accepted we will return your money and delete chat history.” This suggests an attempt to weed out security professionals or law enforcement trying to infiltrate their operations.

“Double Extortion” and Victim Shaming

A concerning tactic NOVA encourages its affiliates to use is “double extortion.” This means not only do they encrypt the victim’s files, but they also steal sensitive data before encrypting it. If the victim refuses to pay, the attackers threaten to publish this stolen data online, often on a dedicated “leak site” or blog. NOVA even offers to help their affiliates set up these blogs, stating, “to build success bussiness with us you must have Blog to post vicitms and use double blackmail , wanna Blog ? no problem we can help you.”

In a message on their site, NOVA attempts a strange form of communication: “Welcome in companys Blog , if you are normal user you will find lot of data, if you are company IT worker or admin kindly contact us for negotiation , We apologize if we do anything that might harm the simple community , Have a good day.” This message seems to downplay the harm they cause while directly addressing IT professionals of targeted companies to negotiate payment.

Recent Developments and an Payment Methods

The group also announced an “Linux Nova ransomware update to new version,” indicating they are actively developing and improving their malicious tools.

One of the most unusual aspects of the NOVA ransomware group is their reported willingness to accept ransom payments via bank transfer. This is a significant departure from the standard practice of demanding payment exclusively in cryptocurrencies, which are favored by cybercriminals for their perceived anonymity and difficulty to trace. Offering bank transfers could suggest a high degree of confidence or perhaps a new strategy to make payments easier for some victims, though it also potentially increases the risk for the criminals themselves.

As of May 13, 2025, 18 victims have been publicly listed by the group since their emergence on March 25. The attack on the Municipality of Pisa is the latest example claiming they stole over 2TB of data, and demonstrating that local government services and the data they hold are prime targets.

The appearance of NOVA and their evolving tactics serve as a stark reminder of the ongoing threat posed by ransomware. It emphasizes the need for robust cybersecurity measures for individuals, businesses, and public institutions alike.