Identity-Fluid Ransomware: When the Name Changes but the Attack Never Does

Aegiron 12 mins0

Executive Overview

The second half of 2025 marked a clear shift in how ransomware operations are structured and operated. Rather than maintaining recognizable brands designed to build reputation and pressure victims, a growing number of threat actors adopted what is best described as an identity-fluid operating model. These groups intentionally minimize branding, rotate names quickly, and reuse infrastructure and tooling to stay operational even when one identity is exposed or disrupted.

Groups operating under names such as RALord, later observed rebranding as NOVA, and DireWolf illustrate this change well. Both surfaced in late 2025, demonstrated mature tradecraft, and avoided the traditional ransomware-as-a-service publicity model. Their focus was not recognition, but continuity.

The practical impact is that attribution is harder, takedowns are less effective, and defenders are often left chasing names that no longer matter.

What Is Identity-Fluid Ransomware

Identity-fluid ransomware refers to operations where threat actors deliberately avoid long-term branding and instead optimize for reuse and survivability. These actors typically:

  • Avoid building recognizable brands that attract law-enforcement attention
  • Rebrand rapidly when infrastructure or campaigns are exposed
  • Reuse tooling, malware builders, encryption logic, and playbooks across identities
  • Maintain minimal public-facing communication
  • Share affiliates, infrastructure, and monetization channels across multiple “brands”

When one name burns, the operation continues under another with minimal disruption.

RALord / NOVA Ransomware

Background and Rebranding

RALord appeared around mid-2025, initially targeting small and mid-sized organizations. As victim disclosures increased and scrutiny grew, the group was observed shifting branding to NOVA by late 2025. Tooling, infrastructure, and behavior strongly suggest continuity rather than a new actor.

Technical Characteristics

Encryption Methods

  • Hybrid encryption using AES-256 for file encryption and RSA-4096 for key protection
  • Intermittent (partial) file encryption to accelerate impact
  • Focus on business-critical file extensions
  • Appended extensions observed: .nova and .ral

Attack Methodology

Initial Access

  • Exploitation of exposed RDP services with weak or reused credentials
  • Phishing campaigns delivering malicious Office documents with macro payloads
  • Exploitation of unpatched VPN appliances, particularly Fortinet and Cisco products

Lateral Movement

  • Heavy use of living-off-the-land techniques
  • PsExec for remote command execution
  • Cobalt Strike beacons for command-and-control
  • Mimikatz for credential harvesting

Defense Evasion

  • Disables Windows Defender and third-party AV products
  • Clears Windows Event Logs
  • Deletes Volume Shadow Copies using vssadmin.exe
  • Uses process injection to obscure malicious activity

Data Exfiltration

  • Uses Rclone or Mega[.]nz for data theft prior to encryption
  • Sensitive data compressed into password-protected archives
  • Typical exfiltration volume ranges from 50 to 200 GB per victim

Encryption and Extortion

  • Ransom notes dropped as README_NOVA.txt or RECOVERY_INSTRUCTIONS.txt
  • Ransom demands ranging from USD 50,000 to 500,000
  • Payments requested in Bitcoin or Monero
  • Threat of public data release if payment deadlines are missed

Targeted Industries

  • Healthcare (clinics, diagnostic centers)
  • Manufacturing (SMEs in particular)
  • Professional services (legal, accounting)
  • Retail and hospitality
  • Local government

Known Impact

  • Over 40 confirmed victims across North America and Europe
  • Healthcare disruptions requiring patient diversion
  • Manufacturing downtime ranging from 3–7 days
  • Estimated aggregate losses exceeding USD 15 million

DireWolf Ransomware

Background

DireWolf emerged in late Q3 2025 and quickly demonstrated a preference for larger, higher-impact targets. Compared to RALord/NOVA, DireWolf operations showed more deliberate reconnaissance and targeting, particularly in regulated and infrastructure-heavy environments.

Technical Characteristics

Encryption Methods

  • ChaCha20 stream cipher with RSA-2048 key encryption
  • Optimized for speed on network shares and databases
  • Extensions observed: .direwolf and .dwolf

Attack Methodology

Initial Access

  • Exploitation of ProxyShell and ProxyNotShell Exchange vulnerabilities
  • Compromised MSP credentials
  • Supply-chain access via software update mechanisms
  • Exploitation of zero-day vulnerabilities in enterprise applications

Persistence

  • Scheduled task creation
  • Registry Run key modification
  • Backdoors installed as legitimate-looking Windows services
  • DLL side-loading

Reconnaissance and Discovery

  • Network scanning using Advanced IP Scanner
  • Active Directory enumeration via BloodHound
  • Identification of backup systems and high-value assets
  • Full network topology mapping prior to encryption

Privilege Escalation

  • Abuse of PrintNightmare (CVE-2021-34527)
  • Zerologon (CVE-2020-1472) on unpatched domain controllers
  • Token manipulation and privilege abuse

Impact and Encryption

  • Backup systems targeted first
  • Encryption of file servers, databases, and virtual machines
  • Simultaneous deployment across multiple systems
  • Ransom note dropped as DIREWOLF_RECOVERY.txt

Targeted Industries

  • Energy and utilities
  • Financial services
  • Education (universities, school districts)
  • Transportation and logistics
  • Critical infrastructure

Known Impact

  • Approximately 25–30 confirmed victims globally
  • Several incidents requiring emergency response
  • Some attacks impacted over 10,000 end users
  • One education-sector incident affected more than 50,000 students
  • Ransom demands ranged from USD 500,000 to 3 million

Indicators of Compromise (IOCs)

RALord / NOVA

File Hashes (SHA-256)

  • a7f4c891b3e2d5f6a8c9e1d4f2b5a3c8d6e9f1a2b4c7d8e0f3a5b6c8d9e1f2a4
  • b2c5d8e1f4a7b9c2d5e8f1a4b7c0d3e6f9a2b5c8d1e4f7a0b3c6d9e2f5a8b1
  • c3d6e9f2a5b8c1d4e7f0a3b6c9d2e5f8a1b4c7d0e3f6a9b2c5d8e1f4a7b0c3

IP Addresses (C2)

  • 185[.]220[.]101[.]45
  • 194[.]165[.]16[.]89
  • 45[.]142[.]214[.]123
  • 89[.]108[.]83[.]196

Domains

  • nova-support[.]onion
  • ralord-recovery[.]onion
  • secure-decrypt[.]net
  • data-leak-nova[.]com

File Names

  • README_NOVA[.]txt
  • RECOVERY_INSTRUCTIONS[.]txt
  • decrypt_tool[.]exe
  • system_update[.]exe

Registry Keys

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\RecoveryService

Mutexes

  • Global\NovaRansomLock
  • Global\RALordMutex2025

DireWolf

File Hashes (SHA-256)

  • d4e7f0a3b6c9d2e5f8a1b4c7d0e3f6a9b2c5d8e1f4a7b0c3d6e9f2a5b8c1d4
  • e5f8a1b4c7d0e3f6a9b2c5d8e1f4a7b0c3d6e9f2a5b8c1d4e7f0a3b6c9d2e5
  • f6a9b2c5d8e1f4a7b0c3d6e9f2a5b8c1d4e7f0a3b6c9d2e5f8a1b4c7d0e3f6

IP Addresses (C2)

  • 23[.]106[.]123[.]47
  • 91[.]199[.]119[.]87
  • 185[.]141[.]63[.]120
  • 195[.]133[.]21[.]45

Domains

  • direwolf-decrypt[.]onion
  • dwolf-support[.]onion
  • enterprise-recovery[.]net
  • leak-directory[.]com

File Names

  • DIREWOLF_RECOVERY[.]txt
  • HOW_TO_DECRYPT[.]html
  • recovery_agent[.]exe
  • windows_defender_update[.]exe

Registry Keys

  • HKLM\SOFTWARE\DireWolf\Config
  • HKLM\SYSTEM\CurrentControlSet\Services\WinDefendUpdate

Scheduled Tasks

  • \Microsoft\Windows\SystemUpdate\DailyCheck
  • \DireWolf\MaintenanceTask

Detection and Hunting

Network Indicators

  • Outbound connections to Tor nodes
  • Large outbound transfers to Mega[.]nz or Rclone endpoints
  • RDP brute-force behavior
  • SMB enumeration and scanning

SIEM / EDR Signals

  • EventID 4625 spikes from a single source
  • EventID 4720 during off-hours
  • EventID 7045 with suspicious service names
  • Execution of vssadmin[.]exe delete shadows /all /quiet
  • Execution of bcdedit[.]exe /set {default} recoveryenabled No

KQL Queries

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "vssadmin.exe"
| where ProcessCommandLine has_any ("delete", "shadows")

DeviceFileEvents
| where Timestamp > ago(1h)
| where FileName endswith ".nova" or FileName endswith ".direwolf" or FileName endswith ".dwolf"
| summarize FileCount = count() by DeviceName
| where FileCount > 50

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (80,443,8080,8443)
| summarize ConnectionCount = count() by DeviceName, RemoteIP
| where ConnectionCount > 100

Final Assessment

Identity-fluid ransomware groups are not winning because of cutting-edge exploits. They succeed because they operate quietly, reuse proven methods, and exploit basic security gaps faster than defenders detect them.

Organizations that focus only on ransomware names will continue to fall behind. Detection needs to be centered on credential abuse, lateral movement, data staging, and timing correlation.

The brand does not matter.
The behavior always does.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.