Ransomware Group: NOVA

VICTIM NAME: FysioRoadmap

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the NOVA Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page centers on the victim “FysioRoadmap,” described as a component of a broader physiotherapy software and hardware portfolio. It presents FysioRoadmap as an electronic patient record (EPD) system designed for physiotherapy and aligned with the guidelines of the Dutch physiotherapy association (KNGF), emphasizing ease of use for practitioners. The page notes that the organization produces hardware in addition to software, listing devices used in rehabilitation and exercise therapy. The attackers claim to have exfiltrated data from the victim’s environment, stating that roughly 10 GB of data were stolen and that more than 140,000 documents contain sensitive information such as personal identifiers and clinical details with images. A desktop readme is referenced that allegedly guides recovery and provides a means to contact the attackers for negotiation. The post shows a dated chronology of data leaking and encryption events, with the post date identified as September 28, 2025. Because a single compromise date isn’t clearly stated, the post date is treated as the event date for this report. The Netherlands is indicated as the victim’s country. The page also notes a timeline of leaks and encryption across multiple dates, reinforcing the impression of an ongoing data-breach activity.

The leak page includes an image gallery described as containing 11 images, likely screenshots or other visual references to internal content, though the exact contents are not specified in this summary. In addition to the 10 GB claim, the page later asserts the theft of up to 100 GB of data, spanning resources, billing information, customer data, product plans, commercial data, archives, videos, pictures, and documents, along with a readme that purportedly guides recovery and provides contact instructions. The page also contains content that markets ransomware‑as‑a‑service, including a stated price for a lifetime license and an invitation to others to participate, while warning that negotiation options may be available. Throughout the page, there are references to both leaked data and encrypted data across a chronology of 2025 dates. To protect individuals, PII has been redacted in this summary, while the victim’s name remains unchanged.