Universitas Nasional Ransomware Attack by Nova (June 2026)

Claim Summary

On June 6, 2026, the ransomware group known as “nova” posted a claim on their dark web leak site alleging a cyberattack against Universitas Nasional (UNAS), an Indonesian higher education institution operating under the domain unas.ac.id. According to the threat actor’s post, they have allegedly stolen data from the university’s systems and claim to have provided a “tree and samples” of the stolen data to the organization’s support department. The group’s message describes UNAS as an institution offering undergraduate and postgraduate degrees across faculties including Social Sciences, Law, Economics, and Health Sciences, with a focus on quality assurance, research, and international conferences.

The attack date listed by the group is June 6, 2026, though this timestamp may reflect when the data was exfiltrated or when the leak site entry was created. The volume of data allegedly stolen remains undisclosed. No proof of compromise, such as file listings or data samples, has been publicly released at this time.

Threat Actor Profile

The “nova” ransomware group is a relatively obscure threat actor with limited public tracking. Based on available intelligence, the group has an unknown total number of confirmed victims, and no widely documented tools, tactics, or procedures (TTPs) have been attributed to them. Their operational security posture appears low, as they have not been linked to any known ransomware-as-a-service (RaaS) platforms or established extortion techniques.

Given the lack of public research or prior victim disclosures, the group’s credibility is difficult to assess. Ransomware groups with small victim counts often exaggerate claims to build reputation or apply pressure. The group’s message suggests a willingness to negotiate, as they claim to have provided data samples directly to the university’s support department. This tactic is common among lower-tier groups attempting to force payment through direct communication rather than public shaming.

No YARA rules, detection signatures, or specific indicators of compromise (IOCs) are available for the nova group at this time. Organizations should monitor for generic ransomware behaviors, such as unusual file encryption patterns, renamed file extensions, or ransom notes referencing “nova.”

Alleged Data Exposure

The threat actor claims to have exfiltrated data from Universitas Nasional, but no specific details about the nature or volume of the stolen information have been disclosed. Based on the university’s profile, potential data at risk could include:

• Student records (personal identification, academic transcripts, enrollment data)
• Faculty and staff personnel files
• Research data and intellectual property
• Financial records and payment information
• Internal communications and administrative documents

The group’s statement that they provided “tree and samples” to the university’s support department suggests they may have shared a directory structure and sample files to demonstrate the legitimacy of their claim. However, without independent verification, this remains an unsubstantiated assertion.

Potential Impact

If the claim is verified, the impact on Universitas Nasional could be significant. As an educational institution handling sensitive personal data of students and staff, a data breach could lead to:

• Regulatory penalties under Indonesia’s Personal Data Protection Law (UU PDP)
• Reputational damage affecting student enrollment and academic partnerships
• Operational disruption from ransomware encryption or system downtime
• Potential identity theft or fraud risks for affected individuals
• Loss of research data or intellectual property

The education sector is a frequent target for ransomware groups due to often limited cybersecurity budgets and the high value of personal data. However, the lack of public data samples reduces immediate risk of data exposure on the dark web.

What to Watch For

• Any official statement from Universitas Nasional regarding a security incident
• Appearance of data samples or file listings on dark web forums or leak sites
• Reports of system outages, encryption, or ransom demands from the university
• Communications from the nova group claiming additional victims or expanding their operations
• Increased monitoring for phishing attempts targeting UNAS affiliates using stolen data

Disclaimer

This report is based solely on an unverified claim posted by the nova ransomware group on their dark web leak site. Yazoul Security has not independently confirmed the validity of the attack, the identity of the threat actor, or the extent of any data compromise. Ransomware groups routinely fabricate or exaggerate claims to pressure victims into paying ransoms. All information should be treated as preliminary and subject to change upon verification. No data samples, credentials, or access methods are provided in this report. Organizations should consult their incident response teams and legal counsel before taking any action based on this intelligence.