The Nova ransomware gang recently listed the state government of NSW as a victim on its darknet leak site, claiming to have exfiltrated “sensitive data from network”. The government’s top cyber security officer, however, is not having a bar of it.
“Cyber Security NSW is aware of a query, which is being looked into by public sector agencies,” Marie Patane, NSW chief cyber security officer and executive director Cyber Security NSW, told Cyber Daily regarding the hacking claims.
“At this stage, there is no evidence of any sensitive information being accessed.
“The only sample files provided are publicly available and historical information.”
Indeed, Nova did share several files by way of evidence of a network compromise. The files are PDFs of regional topographic maps featuring NSW government letterhead and a set of maps outlining emergency response programs across the state.
The latter dates back to 2013, and the full dataset is apparently 200 gigabytes.
Since its initial 15 June leak post, Nova is now claiming to have had some interest from an unnamed third party who wished to purchase the data.
“Got offre [sic] to sell the data with 704k USD, we are not ready to sell the data yet, we looking for negotiation with the company,” Nova said more recently.
Who is Nova?
First emerging in April 2025, Nova is responsible for 140 leak posts in total, with 25 alone in May 2026.
The group styles itself as a ransomware-as-a-service group, splitting any ransom payments with affiliates based on their performance. The lowest split is 75/25, with the bulk going to affiliates, while better performers can take advantage of a 95/5 split.
On its leak site, the group outlines its affiliate program in Russian, Chinese, and English.
“Nova will provide Guide, CVEs exploits in news section, Logs Checker service, Tools (customised and Paid tools for free), and Lot of things that help to up your skills and make success attacks,” the group said.
Nova’s leak site also features a “blacklist” of banned affiliates, which is largely in Russian, suggesting that language is the hackers’ first.
This is the first time the group has claimed an Australian victim. Most of Nova’s victims hail from the United States, France, Brazil, Spain, and Indonesia.
It is hardly unknown for ransomware actors to either mistake their victims or make grander claims about their activity than the data can back up.
Most recently, the ThreeAM ransomware group claimed to have compromised the Australian Medical Council (AMC), which the AMC strenuously denied, while the data that has been published appears to belong to a single Victorian healthcare provider.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.