Dos-Op exposes the Nova RaaS gang (2)

Last night, DataBreaches received a tip about a website with a new report exposing the Nova RaaS gang (“Nova”). Nova (formerly known as RALord) is a ransomware-as-a-service (RaaS) group. The ransomware, reportedly based on Babuk source code, encrypts victims’ files and then attempts to extort them into paying for a decryptor and for data deletion (see Update 2, below, for correction on source code).

The report is the result of a collaboration between CBSecurity and Dos-Op.io, with the latter conducting all of the research.

DataBreaches responded to the tip and was able to ask “Marcus” from CBSecurity for some additional details.

According to Marcus, a few people from dos-op.io conducted all of the research, which took approximately two months.  “Mistakes in Nova’s network configuration exposed additional attack surfaces and revealed their backend addresses,” Marcus informed DataBreaches.

The first part of the report contains a Maltego analysis and some preliminary infrastructure and personal information on the administrators and recruiters.

Aliases (4)
AlexL101m3
ForLord – Recruiter | admin | forum ops
RALord-RaaS – Recruiter | admin | forum ops
jhonkarry

Names:
Алексей Alex – Recruiter | admin | forum ops

“Alex,” who lists their location as London, maintains the “ForLord” github repositories. “ForLord” was also the username for the group’s protonmail account.

A preliminary version of the first part of the planned three-part report can be found at cbsecurity.net. According to Marcus, the second and third parts of the report will include information on about 12 Nova affiliates.

DataBreaches asked whether Nova ever detected the attackers. “Maybe you should ask their admin,” Marcus replied, “because the next two leaks will make his hair fall out.”

But why target Nova? Marcus responded, “Their awful rules to affiliates and just the ethics of ransoming. We find it highly disgusting.” It is not clear to DataBreaches what makes Nova any more disgusting than other ransomware gangs that also attack the medical and education sectors, but the report specifically mentions those sectors. In August, DataBreaches reported on one of Nova’s  attacks involving a medical target where they appeared to violate the agreement they made with the victim who paid them not to disclose data from 485,000 Dutch women who had been screened for cervical cancer. Nova’s attempts to clarify why they publicly raised the ransom demand after the victim paid, and then why their threat wasn’t really a threat created confusion and stress for the victim and affected patients.

As of publication, Nova appears to be frequently updating/changing their dark web leak site, but they post no contact information on it.

About CBSecurity and Dos-OP

Because both CBSecurity and Dos-OP were new to DataBreaches, Marcus was asked whether he would reveal anything about who is behind it and running it. He responded, “CBSecurity.net is a fully anonymous news and investigations outlet. No one is behind it.”

There are no named individuals behind Dos-OP either, it seems. Dos-OP advertises itself as a service providing OSINT cyber intelligence, automated threat hunting, and comprehensive digital investigations. Currently, its main product is “Smart Search.”

DataBreaches asked whether CBSecurity is currently collaborating with Dos-OP to investigate any other ransomware gangs.  Marcus stated, “Yes, we are constantly targeting criminals and public figures of interest in collaboration with dos-op.io. In a past collaboration, we also reported a serious bug in wix’s Base44 app, which exposed all users’ data to exfiltration.”

Contacting Nova and Dos-OP

DataBreaches emailed Nova last night at its previously listed email address to ask them for their response to the report’s claims and attributions, but the email bounced back. DataBreaches left a friend request for them on Qtox, but they do not appear to have logged in to it by publication. DataBreaches found that their “BlackBeard” account on one Russian-language forum was recently banned, and we could not find them on a second Russian-language forum or actively on X.com. This post will be updated if Nova responds or contacts this site.

Marcus tells DataBreaches that the second part of the report should be released in about 10 days. Of note, Marcus claims that CBSecurity and Dos-OP have already sent detailed information to some law enforcement agencies, and the information will also be sent to other law enforcement agencies as well.

Dos-Op has contact info listed on its website. They have also created a Telegram channel and a Telegram chat channel.

---

This post was edited post-publication to correct a statement about information having been sent to certain law enforcement agencies.

Update 1: Nova contacted DataBreaches to dispute many of the claims made in Dos-OP’s report. DataBreaches has forwarded those to Dos-OP with a request for a response. This post will be updated when a response is received. In the interim, this post should be viewed as disputed by Nova. 

Update 2: DataBreaches has received Dos-OP’s responses to Nova’s claims. They acknowledge making an error in their report that states that the ransomware is based on babuk source code. As Nova stated to DataBreaches in chat yesterday, the ransomware is in Rust. What Dos-OP meant to state is that the Nova developer(s) came from Babuk.

Nova’s Objections and Dos-OP’s Responses

Nova had a number of objections and disputes with the content of Dos-OP’s report. They criticized this site and blogger repeatedly for what they described as unprofessional or fake reporting and “black propaganda.” The chat also included a number of veiled threats against this blogger, who, quite frankly, is getting really tired of being threatened by lawyers for entities on the one hand, and threat actors on the other hand.

As a matter of ethics, however, DataBreaches did forward Nova’s complaints/claims to Dos-OP. The following is a summary of Nova’s claims and Dos-OP’s responses.

1. Nova claims their ransomware is not based on Babuk, but uses Rust. Dos-OP agreed that it uses Rust and had intended to indicate that the developer came from a Babuk background.

2. Nova claims a check of all IPs does not reveal any panel or anything related to their network. Dos-OP provided this site with screenshots showing that connection between IP addresses in the report and Nova’s network. This is just one of the screenshots showing a scan of 144.172.92.192. See also the connection between http://144.172.95.78/ and Nova Cloud.

DataBreaches notes that Dos-OP has provided DataBreaches with a 66-page report on Nova, under embargo. It contains evidence that refutes Nova’s claims on this point and other points.

3. Nova claims “Maltego exf wrong IPv4, nothing related.”  Dos-OP provided DataBreaches with evidence linking IPv4 in the report to Nova.

4. Nova claims it never used [email protected] email address. Dos-OP responded, “Our investigations lead us to believe the Ramp account and other accounts on forums were connected to them. The proton account was made hours before the registration on xss. Even if they deny using this, they shouldn’t be this bothered.”

5. Nova claims the following are fakes and they just used ForLord and RALord as raas names:

• AlexL101m3
• ForLord – Recruiter | admin | forum ops
• RALord-RaaS – Recruiter | admin | forum ops
• jhonkarry

DataBreaches (and Dos-OP) notes that there were users on BreachForums with ForLord and RALord-Raas usernames, so we don’t know what Nova is claiming. DataBreaches also noted that “ForLord” was associated with Alex on GitHub.

6. Nova claims they have no connection to either Ra Group or RA World. Ransomlook.io lists Nova as a rebrand of RALord. Dos-OP provided DataBreaches with a screenshot showing them using RA World.

For now, then, DataBreaches is leaving the post up with these clarifications and responses. After more of the full report is revealed, if Nova wants to revisit any specific points, he is welcome to contact this site but without threats. The following is the kind of bullshit I have no patience for:

Nova:
we working with journalists before, but they all positive, you are the first who engage in black probaganda, and we can deal with it with our style

Dissent Doe:
do not try to threaten me. I report honestly. If I make a mistake, I correct it. And I doubt journalists are positive about you.

Dissent Doe:
let me get going here so I can start contacting Dos-OP with your objections/claims.

Nova:
look, you can continue in this PB with your dos os, i was think its fed expose or something, but remember, i can post healthcare in future, i will tag your site as reason