CBSecurity.net | Investigations.

click here to view the graph in full quality

Nova ransomware group, previously known as Ralord is taking big part in the cybercrime community, their administrators have allowed work on medical and educational sectors which has directly harmed thousand of people. 

with partners from dos-op.io we are here, show them what security means. as you read this, i am sure, many agencies are also reading this. so i hope the administrators of nova are worried. 

Lets start now with the information. first ill attach this graph. for better visual undertanding. 




========================
Gang Names:
Nova Ransomware
RALord
Ra Group

hashes:
ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIMDoroqL14ZquFokAs5qj2
yiGY+4KnB3eTUdp02RfkwK

Aliases (4)
AlexL101m3 
ForLord - Recruiter | admin | forum ops
RALord-RaaS - Recruiter | admin | forum ops
jhonkarry

Names:
Алексей Alex - Recruiter | admin | forum ops

emails:
ForLord@proton.me

steam profile id: - registered to known email
steam profile 76561199522984415

online platforms:
RAMP -ForLord
Breachforums RALord-RaaS Forlord jhonkarry
xss - threads/111867/ contact methods

github account:
forlord
=========================
Infrastructure details:

Malware Family: 
https://www.unpac.me/results/8f16d881-88e8-44c9-8f13-8858c3f8f2e2
Based on babyk source code
Rust locker - $2y$10$ZCqfeVGE6e8Zi6dTW0pHcu7IVOyF3k.yi/GSyH3y8ePaBWNlLa9pG' used unpac.me


knows hosts used:
Digital Ocean: 14061
vps.ac
https://cloudzy.com/
vultr

Infra IP addresses:
45.63.116.244 - html hash -209275114

192.92.172.144
161.35.200.18 - Banner RA-world http://161.35.200.18/Victims.html - https://www.shodan.io/host/161.35.200.18
144.172.95.78 - file server = ms5fasbpbfpbxmgtrhcspvg5ajmb2tpxdcg7x2wdd6equemuivqi5syd.onion & Nova Cloud v2.0
 https://urlscan.io/result/0198a0d4-41fd-727a-b1ee-85179a1f96bc
144.172.92.192 - https://144.172.92.192:5000/ panel - login - 
95.215.207.150 
45.63.116.244





URLs
http://www.novatrade-dashboard.com/
ms5fasbpbfpbxmgtrhcspvg5ajmb2tpxdcg7x2wdd6equemuivqi5syd.onion
novatd4577pzlvdyy42slydhrhru7fpcflbbxlajcmbfrgzyeis6d3id.onion



Contacts:
TOX:
8E9A6195A769FE7115F087C61D75CF32874C339B3AB09
47D07480C9A8A12DA5009151BE6A51F

session:
054f55ec93aca9bac362b9d91eff36a7ce451e7caba47c0b2e
004ba429f9529c79

adamant im: U12898974896918162613 -- ADM

Summary: 

We have left 80% of our information out of this report. The team is preparing a second leak within the upcoming days.
CBsecurity is thankful to dos-op.io for providing the help and is giving full credit to it.