Ransomware Group: NOVA

VICTIM NAME: Clinical Diagnosis [Deleted thread after 2 days]

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the NOVA Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On August 22, 2025, the leak page documents an incident involving a healthcare provider named Clinical Diagnosis [Deleted thread after 2 days]. The post, attributed to the Nova group, frames the event as a ransomware-related breach within the healthcare sector and presents it as more than a simple encryption event. The page references an initial “Deal” and claims that data was removed from it, while stating that no data beyond a so‑called Sample was leaked and that the Sample was deleted. The attackers portray the message as a patient reassurance exercise and as a warning to other victims about the universality of security gaps, while suggesting forthcoming disclosures about how the breach occurred and how victims might be helped to recover and strengthen defenses. The narrative also carries the typical threat rhetoric and guidance aimed at media coverage, victims, and law enforcement, indicating a strategic blend of data leakage claims and public relations messaging.

The page’s metadata confirms the victim operates in the Healthcare industry and lacks visible images or downloadable files at this time (no screenshots). A claim URL is indicated, along with a reference to a group profile, signaling potential channels for negotiation or verification without exposing concrete contact details in this summary. The content includes a “Nova Update” chronology with multiple dated entries across 2025, including assertions that data has been leaked in later updates and admonitions tied to the victim and readers. The page also promotes a ransomware‑as‑a‑service offering with a stated lifetime price, suggesting the post serves as both a victim notification and a promotional platform for the actor’s broader operations. Notably, there is no explicit ransom amount presented for this specific incident within the post itself; the messaging centers on credibility, potential future leaks, and pressure to improve security rather than a defined monetary demand.