Russian oil and gas engineering services firm Eriell was posted to the Nova ransomware leak site on May 26, 2026, alongside technology company sandox info. The listing caps a five-victim, five-day burst spanning South America, Europe, the Middle East, and now Russia, extending Nova's claimed total to 122 or more victims across its operational lifetime.
What Happened
Nova ransomware operators added Eriell to their data leak site on May 26, 2026 as part of a two-victim batch that also named technology firm sandox info. The disclosure extends a concentrated week of activity that began May 23 with the University of Valencia in Spain, continued May 24 with SECONT in Brazil and Adensa Teknoloji in Turkey, and culminated with the May 26 dual listing. Across five consecutive operational days, Nova posted victims spanning four distinct world regions, marking one of the group's most geographically diverse posting windows on record.
What Was Taken
Specific exfiltration volume and sample data for the Eriell listing have not been publicly enumerated in the Nova post detail available at this time. Based on Eriell's business profile as an oil and gas engineering services provider with international operations, exposed data categories are likely to include project engineering documents, geological survey data, drilling and production specifications, client contracts with national energy companies, and procurement records. A full-archive exfiltration would carry significant secondary exposure for Eriell's client base, which includes national oil companies whose project data may sit within Eriell's engineering archives. The parallel sandox info listing carries a different risk profile typical of technology sector compromises: potential exposure of source code repositories, client access credentials, and software license records that can fuel downstream supply chain compromise beyond the immediate victim boundary.
Why It Matters
Nova's decision to list a Russia-headquartered organization is the most strategically significant element of this disclosure. Most ransomware operations avoid targets inside Russia, a pattern broadly attributed to the geographic overlap between affiliate pools and Russia-resident operators who face domestic prosecution risk for in-country attacks. Nova's willingness to post Eriell signals that this constraint does not apply to the group, suggesting affiliates operate outside Russian jurisdiction or that the operators have weighed Eriell's international project exposure as sufficient justification to override the typical carve-out. For threat intelligence consumers, the listing recalibrates assumptions about which Russian critical-infrastructure-adjacent entities sit within the addressable victim pool of active ransomware-as-a-service brands. The concurrent four-region posting pattern also indicates Nova is operating with affiliate breadth rather than a narrow geographic focus, raising baseline exposure across diverse defender constituencies.
The Attack Technique
Initial access vector, encryption tooling, and dwell time specifics for the Eriell intrusion have not been disclosed in the public Nova post or in source reporting. Nova has not been publicly profiled with a consistent signature TTP set in available reporting tied to this batch, and no confirmation has been issued by Eriell regarding the scope or timeline of the intrusion at the time of writing. Defenders should treat the listing as a confirmed extortion event with unconfirmed intrusion mechanics until additional indicators are released by the victim, incident responders, or downstream researchers.
What Organizations Should Do
- Energy sector engineering services firms with international client portfolios should review third-party data handling agreements and confirm contractual notification obligations to national oil company clients in the event of an archive exfiltration.
- Monitor the Nova leak site for follow-on sample drops or full archive releases tied to the Eriell listing, and integrate any released indicators of compromise into detection pipelines.
- Russia-headquartered organizations and their international subsidiaries should revisit threat models that assumed a domestic carve-out from major ransomware brands, and rebaseline detection priorities accordingly.
- Technology sector firms should audit source code repository access controls, rotate long-lived client access credentials, and inventory software license data stores in light of the parallel sandox info listing risk profile.
- Validate offline, immutable backups for engineering project archives and confirm restoration timelines meet contractual client service-level commitments.
- Tune egress monitoring for large outbound transfers from engineering document repositories, geological data stores, and procurement systems, where exfiltration volume typically precedes Nova-style leak site posting by days to weeks.
Sources: Nova Ransomware Lists Russian Oil Firm Eriell in May 26 Batch - Cybersecurity