Nova ransomware posted two victims to its dark web leak site on May 24, 2026 — SECONT, a Brazilian state government agency responsible for internal control and public transparency reporting, and Adensa Teknoloji, a Turkish software development company — bringing the group’s total to three new victim disclosures across three consecutive days and three distinct geographies.
SECONT: A Brazilian Government Transparency Agency Breached in Its Own Oversight Role
SECONT — the Secretaria de Controle e Transparência — is a Brazilian state government agency charged with internal control, auditing, and public transparency reporting for the agencies it oversees. The breach of an internal control body introduces a secondary dimension absent from most ransomware disclosures: the agency mandated to ensure accountability across other government entities has itself become a transparency incident, with sensitive records about the agencies under its oversight potentially now in ransomware operators’ hands.
SECONT’s Internal Audit Records and the Government-Wide Data Exposure They Create
SECONT’s operational mandate means its data holdings include internal audit records, financial control documentation, and civil servant information for the government agencies within its oversight scope. A successful breach and data publication would not only expose SECONT’s own operational records but could reveal sensitive information about the internal financial and administrative processes of every government body the agency audits. This secondary exposure — where the breach of one oversight institution becomes a window into the operations of multiple underlying agencies — distinguishes an internal control body from a typical government target. No ransom amount or data volume was specified in the initial Nova leak site posting for SECONT as of May 26.
Adensa Teknoloji: Source Code, Developer Credentials, and Client Software Licenses at Risk
Nova’s second May 24 victim, Adensa Teknoloji, is a Turkish software development and technology company. Software firms hold data categories that carry downstream supply chain risk beyond the immediate victim — source code repositories, client software license configurations, developer access credentials, and system integration details that could be leveraged to target the firm’s own client organizations. No data volume or ransom figure was disclosed for Adensa Teknoloji in the initial Nova posting. Technology companies represent high-value ransomware targets specifically because their data archives reflect not only their own operations but the technical infrastructure of the clients whose software they build and maintain.
Nova’s Three-Day, Three-Geography Campaign Across May 23–24, 2026
The dual May 24 postings follow Nova ransomware’s listing of the University of Valencia in Spain on May 23, 2026 — just 24 hours earlier. Three victim disclosures across three consecutive days, spanning Brazil, Turkey, and Spain, points to an active multi-geography campaign rather than isolated opportunistic attacks against single targets. The geographic spread — South America, Western Europe, and the Middle East-Europe corridor — in a 48-hour window is consistent with an operation running concurrent campaigns across multiple regions rather than executing sequentially.
Nova is a relatively newer entrant in the ransomware landscape but has demonstrated a sector-agnostic targeting approach across its 2026 activity. Its choice of a government transparency agency is notable: public-sector bodies responsible for oversight and accountability represent high-reputational-damage targets where a breach creates a visible contradiction between institutional mandate and operational security. Brazil’s federal and state government agencies have faced increasing ransomware attention in 2026, and SECONT’s listing adds an internally sensitive government body to that count.
The three-day posting run — University of Valencia on May 23, SECONT and Adensa Teknoloji on May 24 — suggests Nova is operating at a tempo consistent with an organized multi-operator campaign. The absence of ransom amounts and data volumes in both the SECONT and Adensa Teknoloji postings is characteristic of early-stage Nova disclosures, where the initial listing functions primarily as public notification of compromise before specific ransom terms are communicated directly to the victim organizations.
