Nova ransomware posted two victims on May 26, 2026 — Eriell, a Russian oil and gas engineering services company, and sandox info, a technology firm — extending the group’s posting run to five victims in five days across South America, Europe, the Middle East, and now Russia.
Nova’s May 26 Eriell and sandox info Listings Cap a Five-Day Burst
The May 26 batch follows three previous Nova disclosures in a single week: the University of Valencia (Spain) on May 23, SECONT and Adensa Teknoloji (Brazil and Turkey, respectively) on May 24, and now Eriell and sandox info on May 26. Nova has claimed 122 or more total victims across its operational lifetime, and the May 22–26 window represents one of the group’s most geographically diverse concentrated posting periods.
Eriell’s Oil and Gas Engineering Data and International Project Exposure
Eriell is a Russian oil and gas engineering services company. Oil and gas engineering firms hold a data profile that carries significant commercial sensitivity: project engineering documents, geological survey data, drilling and production specifications, client contracts with national energy companies, and procurement records. For a firm with international operations, a full-archive exfiltration could expose commercially sensitive project data held on behalf of multiple client national oil companies.
Technology sector victim sandox info represents a different but related risk profile. Technology companies that develop software or manage client system access may hold source code repositories, client access credentials, and software license data — assets that create secondary supply chain risk beyond the immediate victim.
Nova’s Targeting of a Russian Firm and the RaaS Geographic Carve-Out Question
Nova’s decision to list a Russia-based organization stands out in the ransomware landscape. Many ransomware groups avoid targeting entities headquartered in Russia — a pattern typically attributed to the geographic overlap between ransomware affiliate pools and Russia-based operators who face domestic prosecution risk if they attack targets in their home country. Nova’s listing of Eriell indicates no such constraint applies to this group.
Two possible explanations emerge from the available information: Nova’s affiliates may operate outside Russia and therefore face no domestic prosecution deterrent, or Eriell may have been targeted because of its international operations scope — placing the company within Nova’s operational criteria regardless of its Russian headquarters. Either interpretation carries intelligence significance about the group’s composition and geographic targeting philosophy.
Nova’s 122-Victim Total and the Scope of the May 22–26 Five-Victim Campaign
Nova has claimed 122 or more victims across its operational history. The May 22–26 posting burst — spanning Spain (University of Valencia), Brazil (SECONT), Turkey (Adensa Teknoloji), and Russia (Eriell), with sandox info in a currently unidentified jurisdiction — is among Nova’s most geographically dispersed single-week campaigns.
The consecutive-day posting pattern, with multiple geographies represented across each day’s disclosures, is consistent with a group running concurrent operations across multiple affiliate channels rather than a single operator conducting sequential attacks. Nova’s willingness to list a Russian oil and gas company — a category that many ransomware groups treat as off-limits — marks this week’s campaign as particularly notable for what it reveals about the group’s targeting philosophy.
