Platform
Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
Our AI
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Services
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
Solutions
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Company
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Resources
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Partners
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
RALord (Nova) ransomware recovery team on standby
RALord, rebranded as Nova RaaS in April 2025, has claimed 73 confirmed victims using a Rust-based encryptor and qTox-based communications designed to avoid conventional C2 detection. Isolate affected systems immediately and contact UnderDefense's incident response team — do not attempt decryption or negotiation without expert guidance.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a RALord (Nova) attack can make a huge difference and help you make a full recovery. Request 24/7 RALord (Nova) ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
RALord/Nova uses Rust for rapid cross-platform compilation (Windows .exe and Linux binary), enabling deployment across diverse infrastructure. The Rust implementation combines performance with memory safety, complicating both static analysis and memory-based exploitation attempts during encryption.
Unlike peer-to-peer Tox messaging used by earlier groups, RALord/Nova specifically mandates qTox client for ransom negotiations, ensuring end-to-end encrypted communication resistant to law enforcement interception. Ransom notes include qTox ID for victim contact.
Nova RaaS maintains a formalized affiliate program (named APIPN) that recruits supply network access brokers and provides them with: - 85% of ransom proceeds - Customizable malware builders - Technical support - Infrastructure sharing for C2 and data exfiltration This structure suggests professional RaaS maturity and rapid scaling potential.
RALord/Nova claims not to target schools or nonprofit organizations—a rare ethical boundary in ransomware ecosystem. Verification of this claim is limited; some sources indicate the boundary is aspirational rather than enforced.
Unlike indiscriminate ransomware, RALord/Nova targets specific verticals (aerospace, municipal government, NGOs) suggesting preliminary reconnaissance and victim triage based on perceived ransom capacity.
No legitimate public decryptor exists. RALord uses Rust-based encryption with unique keys per victim. Recovery requires offline backups or ransom payment. Law enforcement coordination with international partners may enable key recovery from seized C2 infrastructure, though success rate is historically low.
Search for .RALord file extension across encrypted systems. Ransom notes named README-[random_string].txt with qTox contact ID provide victim indicators. Monitor for Rust binary execution characteristics and qTox communication attempts.
File Extensions
.RALord, .ralord, .RALORD (variant-dependent; case variations observed)
Ransom Note Filenames
README-[random_string].txt (example: README-9a3f2b8c.txt)
RALord/Nova Hashes
SHA256 hashes vary significantly due to per-victim Rust compilation. Rust binary characteristics (Go/Rust runtime markers) enable behavioral detection despite compilation variations.
RALord/Nova Tools
Initial Access: Credential-based access (RDP, SSH, VPN), vulnerability exploitation (case-by-case)
Reconnaissance: Network enumeration, asset discovery, data staging
Lateral Movement: Windows administrative shares, RDP, SSH
Credential Dumping: Mimikatz, LSASS process injection techniques
Data Exfiltration: Rclone, legitimate cloud storage tools (customized per affiliate)
Encryption: Rust-based AES/RSA implementation
Communication: qTox encrypted messaging (enforced for all ransom negotiations)
Most Common Red Flag
.RALord file extensions across network shares, combined with README-[random_string].txt ransom notes containing qTox ID contact information, unusual credential usage patterns (RDP or SSH from unexpected geographies), and rapid data exfiltration via rclone or cloud storage tools.
Attack vector | % of RALord incidents | Notes |
Compromised Credentials (RDP/SSH/VPN) | 55% | Credentials from breach databases, phishing, credential dumping |
Supply Network Access | 25% | Affiliate compromise of supply chain partners or service providers |
Unpatched Vulnerabilities | 12% | Application-specific exploits (case-by-case targeting) |
Phishing with Credential Stealer | 8% | Malware delivering credential dumpers |
A municipality paid $300K ransom after 3-day negotiation; decryption key was provided and verified functional. An aerospace contractor refused payment; municipal government leak site exposure triggered supply chain pressure; client demanded compensation. An NGO targeted but organization claimed nonprofit status; gang did not escalate extortion per claimed policy.
Isolate all systems with .RALord file extensions from network immediately. Assume all credentials compromised; force password reset network-wide. Scan for and remove Mimikatz artifacts, scheduled tasks, and persistence mechanisms. Restore from verified offline backups. Monitor for re-infection attempts via credential re-use or qTox communication attempts for 6+ months.
Complete recovery from offline backups is required; assume all credentials compromised and rotate all passwords before restoration. Implement network segmentation to prevent lateral movement in case of re-infection. Monitor for credential re-use attempts and qTox communication patterns for 6+ months. Engage law enforcement and negotiation specialists; Nova infrastructure may enable key recovery.
RALord/Nova demands range from $200,000 to $5,000,000 depending on victim organization size and sector. Municipality and government targets receive higher demands. Aerospace organizations are specifically targeted with elevated demands. Negotiation is common; reported settlement rates are 30-50% of initial demand.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help Now
RALord, rebranded as Nova RaaS as of April 2025, is an affiliate-based Ransomware-as-a-Service group using Rust-based encryption to target municipalities, aerospace organizations, NGOs, and international entities. The group appends .RALord extension to encrypted files and mandates qTox encrypted messaging for ransom negotiations, preventing law enforcement interception. Nova offers affiliates 85% revenue share and claims not to target schools or nonprofits—a rare ethical boundary in the ransomware ecosystem. The gang claims 73 victims since May 2025 with geographic concentration in the United States, France, Brazil, and Singapore.
Attribution suggests Eastern European or Russian-based operations based on infrastructure patterns, Rust development expertise, and ransom communication preferences. The structured affiliate program suggests professional RaaS maturity and international operational capacity. No definitive nation-state affiliation has been published; group appears financially motivated.
RALord/Nova gains initial access through compromised credentials (RDP, SSH, VPN) obtained from breach databases or phishing campaigns, or through recruitment of supply chain access brokers who provide network credentials. Operators establish persistence, conduct reconnaissance to identify high-value targets and data, exfiltrate sensitive data via rclone to cloud storage, and deploy the Rust-based ransomware encryptor. All ransom negotiations occur via qTox encrypted messaging to prevent law enforcement tracking.
From initial credential compromise to encryption deployment, RALord/Nova attacks average 5-12 days of dwell time, allowing for reconnaissance and data exfiltration. Some targeted incidents show acceleration to 24-48 hours if the gang detects active monitoring. The Rust encryptor enables rapid encryption due to optimized performance.
No legitimate public decryptor exists. RALord uses Rust-based encryption with unique keys per victim. Some victims who paid ransom report keys were provided and functional, suggesting the gang honors decryption agreements more reliably than some competitors. Recovery without ransom requires offline backups or law enforcement key recovery from seized infrastructure.
All files encrypted with .RALord extension become inaccessible. The gang exfiltrates sensitive data and threatens public release on dark web forums if ransom is not paid within 7-14 days. For municipalities and government organizations, this triggers regulatory notification obligations and public scandal. For aerospace and critical infrastructure, supply chain pressure from clients amplifies ransom pressure.
Implement multi-factor authentication on all remote access (RDP, SSH, VPN) and administrative accounts. Assume credentials from breach databases are compromised; rotate passwords quarterly. Monitor for unusual lateral movement via administrative shares and RDP sessions from expected geographies. Monitor for rclone execution; restrict to trusted administrative users only. Maintain offline, immutable backups tested quarterly. Monitor dark web forums for vendor mentions.
– Enforce MFA on all RDP, SSH, VPN, and administrative accounts
– Rotate credentials quarterly, assuming breach database compromise
– Monitor for unusual RDP/SSH sessions from unexpected geographies
– Restrict rclone execution; monitor for unauthorized use
– Implement EDR with detection rules for Mimikatz execution
– Monitor Windows administrative share access for unusual lateral movement
– Maintain offline, encrypted backup copies verified quarterly
– Implement network segmentation to restrict lateral movement
– Monitor dark web forums and threat feeds for organizational mentions
– Engage law enforcement early if compromise is detected; Nova infrastructure may enable key recovery
qTox encrypted messaging provides Nova operators multiple strategic advantages:
1) End-to-end encryption prevents law enforcement interception of ransom negotiations
2) Decentralized design prevents infrastructure seizure from disrupting communications
3) Removes paper trail compared to traditional email ransom notes
4) Forces victims to download qTox, exposing them to OSINT identification
5) Enables two-way negotiation without email authentication requirements
Nova’s structured affiliate program (APIPN) with formalized revenue sharing (85% to affiliates) and claimed ethical boundaries (no schools/nonprofits) differentiate it from commodity RaaS groups. The specific targeting of municipalities and aerospace suggests preliminary reconnaissance and victim selection rather than indiscriminate affiliate attacks. The Rust re-implementation and qTox-mandated communication indicate technical sophistication and privacy-conscious operations.
