Nova Ransomware Group Claims Attack on New South Wales Rural Fire Service
A cybersecurity incident at the New South Wales Rural Fire Service (NSW RFS) has been attributed to the ransomware group Nova, which today claimed responsibility for stealing 300 GB of data from the organization. The NSW RFS, Australia’s largest volunteer firefighting agency, first reported the breach on June 24, 2026, confirming an attack on its IT systems but stating that emergency response operations remained unaffected.
In an email from the commissioner, the RFS acknowledged the incident but downplayed its severity, noting that many affected files were historical and that there was no evidence of sensitive personal data being accessed. However, the agency has not verified Nova’s claim, and key details including the nature of the compromised data, the number of affected individuals, and whether a ransom was demanded or paid remain undisclosed.
Nova (also known as RALord), a ransomware-as-a-service (RaaS) group active since early 2025, operates by both encrypting systems and exfiltrating data, demanding payment for decryption and to prevent leaks. The group has claimed 143 attacks, with 12 confirmed by victims, including recent breaches at Universitat de València (Spain), LTI Services and Larick Towing (USA), and Aspire Hospitals (India). The NSW RFS attack marks Nova’s second targeting of a government entity, following a $2 million ransom demand against Italy’s Comune di Pisa in May 2025.
The incident is Australia’s first confirmed ransomware attack on a government agency in 2026, part of a broader surge in such threats. Globally, 78 ransomware attacks on government bodies have been recorded this year, with 10 confirmed in June alone, including breaches at Germany’s Allensbach Fire Department, Pakistan’s Capital Development Authority, and Croatia’s Ministry of Health. These attacks can disrupt critical services, from emergency dispatch to public records, forcing agencies to weigh ransom payments against prolonged downtime and data exposure risks.
The NSW RFS, responsible for 95% of New South Wales’ land area and comprising over 70,000 volunteers, remains under investigation as authorities assess the full scope of the breach.
Source: https://www.comparitech.com/news/cybercriminals-say-they-hacked-new-south-wales-rural-fire-service/
Ministry of Health TPRM report: https://www.rankiteo.com/company/ontario-ministry-of-health
"id": "ont1782506529",
"linkid": "ontario-ministry-of-health",
"type": "Ransomware",
"date": "6/2026",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"
{'affected_entities': [{'industry': 'Emergency services, Firefighting',
'location': 'New South Wales, Australia',
'name': 'New South Wales Rural Fire Service (NSW RFS)',
'size': '70,000+ volunteers',
'type': 'Government agency'}],
'data_breach': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'sensitivity_of_data': 'No evidence of sensitive personal '
'data being accessed',
'type_of_data_compromised': 'Historical files (unspecified)'},
'date_detected': '2026-06-24',
'date_publicly_disclosed': '2026-06-24',
'description': 'A cybersecurity incident at the New South Wales Rural Fire '
'Service (NSW RFS) has been attributed to the ransomware group '
'Nova, which claimed responsibility for stealing 300 GB of '
'data from the organization. The NSW RFS confirmed the breach '
'on June 24, 2026, stating that emergency response operations '
'remained unaffected. Nova, a ransomware-as-a-service (RaaS) '
'group, operates by encrypting systems and exfiltrating data, '
'demanding payment for decryption and to prevent leaks.',
'impact': {'data_compromised': '300 GB of data',
'operational_impact': 'Emergency response operations remained '
'unaffected',
'systems_affected': 'IT systems'},
'investigation_status': 'Under investigation',
'motivation': 'Financial gain, data exfiltration',
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': 'Nova (RALord)'},
'references': [{'source': "NSW RFS Commissioner's email"}],
'response': {'communication_strategy': 'Email from the commissioner '
'acknowledging the incident'},
'threat_actor': 'Nova (also known as RALord)',
'title': 'Nova Ransomware Group Claims Attack on New South Wales Rural Fire '
'Service',
'type': 'Ransomware'}