Three ransomware groups — Nova, Stormous, and Akira — each posted new European victims on June 9, with targets spanning Italy, the Netherlands, and France across consumer electronics manufacturing, religious organizations, and ambulatory healthcare. The concurrent postings follow a wave of multi-victim ransomware disclosures the previous day, sustaining an elevated pace of European ransomware activity through mid-week.
How Nova, Stormous, and Akira Posted Three EU Victims in a Single Day
Nova ransomware claimed Trevi S.p.A., a consumer electronics manufacturer based in Cesena, Italy. Stormous ransomware listed Katholiek Amersfoort, a Dutch Catholic organization based in Amersfoort in the Netherlands. Akira ransomware added Centre Ellipse, a French ambulatory medical facility. All three postings appeared on June 9, making this a rare instance of three separate ransomware groups disclosing European victims on the same calendar day.
The three victims represent distinct sectors and countries, with no evident operational connection between the groups or their targeting choices. Each operates independently — Nova, Stormous, and Akira maintain separate leak infrastructure and affiliate networks — suggesting the June 9 activity reflects coincidence in disclosure timing rather than any coordinated campaign.
Nova Ransomware’s Claim Against Trevi S.p.A., Italian Consumer Electronics Manufacturer
Trevi S.p.A. is a consumer electronics company established in 1957 and headquartered in Cesena, in northern Italy’s Emilia-Romagna region. Nova ransomware’s posting threatened to release data from the company if its demands were not met, consistent with the double extortion model that most modern ransomware groups employ. Consumer electronics manufacturers handle a mix of proprietary product development data, supplier relationships, and customer records — all categories of information that carry leverage value in an extortion scenario.
Nova has been expanding its European victim list in recent months, with Italian companies appearing among its claimed targets as the group seeks leverage across the continent’s industrial sector.
Stormous Lists Dutch Catholic Organization Katholiek Amersfoort as Ransomware Target
Katholiek Amersfoort is a religious organization serving the Catholic community in Amersfoort, Netherlands. Its listing by Stormous ransomware places a faith-based nonprofit organization alongside commercial and industrial targets in the same day’s ransomware disclosures. Nonprofit and religious organizations often present reduced cybersecurity resources relative to their commercial counterparts, making them targets of opportunity for ransomware affiliates. Stormous’s posting threatens data release, though the organization has not publicly confirmed any breach.
Akira’s Targeting of Centre Ellipse and Its Sustained Focus on European Healthcare Providers
Akira ransomware’s addition of Centre Ellipse — a French ambulatory medical facility — extends the group’s documented targeting of European healthcare providers. Ambulatory care centers, which deliver outpatient services without overnight admission, handle patient records, appointment systems, and insurance billing data that are highly sensitive and operationally critical. Disruption to these systems forces facilities to revert to manual processes, creating patient care delays even when direct clinical systems are not affected.
What Nova, Stormous, and Akira’s Concurrent EU Postings Indicate About RaaS Affiliate Operations
The appearance of three different ransomware groups posting European victims on the same day reflects the fragmented nature of modern ransomware-as-a-service ecosystems. Unlike coordinated nation-state campaigns, RaaS operations produce victim disclosures according to each affiliate’s independent timeline — when multiple groups post on the same day, it typically indicates independently completed campaigns rather than coordinated multi-group activity.
European organizations across healthcare, manufacturing, and nonprofit sectors have faced sustained ransomware pressure throughout 2026. Akira’s continued healthcare targeting follows a pattern in which the group has repeatedly claimed European medical and care facilities, demonstrating a consistent preference for the sector’s combination of sensitive data and operational urgency. Nova and Stormous each bring separate affiliate networks and victim pools, but their simultaneous June 9 postings add to a week in which ransomware activity against European organizations remained notably high following an active June 8 multi-group wave that included victims in France, Thailand, Australia, and the United States.
