Ransomware Group: NOVA

VICTIM NAME: Dnc

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the NOVA Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On October 5, 2025, the leak page identifies Dnc as a victim of a ransomware incident attributed to the Nova group. The post frames the event as a data-leak scenario rather than a purely encryption-focused attack and claims that approximately 130GB of data has been exfiltrated. The material allegedly includes billing data, customer full names, email addresses, phone numbers, gender information, and details about plans, payments, and invoices, with other data described as included as well. The page also notes that Dnc is presented as an official partner of Heron, and it warns that the stolen material may be released publicly or used for extortion. The content implies that a decryptor and a comprehensive report will be provided, along with options to return or delete the data. For privacy, personal contact details such as emails and phone numbers are redacted in this summary.

The leak page features 25 image previews, which appear to be screenshots or documents connected to the incident. While the raw image links are not included here, the presence of these visuals is highlighted to support the post’s claims of data exfiltration. The page contains Dutch-language sections describing additional victims and timelines, indicating a broader, multi-victim operation conducted by the Nova group in 2025. It also includes promotional language suggesting ransomware-as-a-service capabilities with a stated price, illustrating the attackers’ monetization approach beyond single-victim extortion. Taken together, the post portrays a data-leak scenario with multiple claimed exfiltrations and potential public release of sensitive information unless negotiations are pursued.

From a threat-intelligence perspective, Dnc is the primary focus of the page, while the surrounding content signals a wider campaign by Nova. Organizations associated with Dnc should treat this as a credible risk indicator and review security controls, data-handling practices, and incident-response readiness to mitigate potential fallout from claimed data theft. The presence of a decryptor, accompanying guidance, and readme-style material, along with promotional RaaS content, underscores the importance of proactive monitoring and a robust response in light of potential future extortion attempts.