Attack alert: nova targets Atenção Primária à Saúde Brazil - BR

Introduction

The ransomware group Nova has claimed responsibility for a major breach of the Brazilian public health system by targeting Atenção Primária à Saúde Brazil, a critical healthcare infrastructure managing the medical data of millions of citizens. This cyberattack, discovered on December 4, 2025, poses a significant threat to the confidentiality of health information and the continuity of primary care services in Brazil. The incident, classified as XC SIGNAL according to our analysis protocol, raises serious concerns regarding the protection of sensitive medical data within Latin American public infrastructures. The targeted organization employs over 10,000 people and is a key pillar of the Brazilian healthcare system.

This breach illustrates the alarming trend of cyberattacks targeting public health institutions, which are particularly vulnerable due to the critical nature of their services and the value of medical information on the black market. The Nova malicious actor, known for its aggressive operational model, has demonstrated its ability to infiltrate complex government systems. The potential impact extends far beyond the simple exfiltration of medical files, directly affecting Brazilian citizens' trust in their digital health system and the operational capacity of a critical infrastructure.

Analyse détaillée

nova: modus operandi, history, and victims of the ransomware group

nova is a cybercriminal collective identified as a strategic rebranding of RALord, operating according to a particularly sophisticated Ransomware-as-a-Service (RaaS) model. This rebranding, observed recently in 2025, is part of a common trend among malicious actors seeking to evade cybersecurity teams and revitalize their operations after media exposure or law enforcement actions.

The RaaS model adopted by nova allows the group to franchise its technical infrastructure to third-party affiliates, who conduct the intrusions while the core developers provide the malware, payment infrastructure, and technical support. This decentralized approach significantly complicates attribution and incident response, as each attack can have different tactical characteristics depending on the affiliate involved. Profits are typically split 70/30 or 80/20, favoring affiliates who take on operational risks.

Nova's tactics, techniques, and procedures (TTPs) build upon the legacy of RALord, typically including initial attack vectors through targeted phishing, exploitation of vulnerabilities in internet-exposed services, and compromise of privileged accounts via credential stuffing. Once initial access is established, the group deploys network reconnaissance tools, establishes persistence through backdoors, and systematically exfiltrates sensitive digital assets before final encryption.

→ The full analysis by the Nova group reveals that the affected entity joins a growing portfolio of victims in critical sectors, with a marked predilection for public infrastructure and organizations holding highly strategic data. The group favors a double extortion tactic, combining system encryption with the threat of publishing stolen information to maximize pressure on victims and increase the likelihood of ransom payments.

Atenção Primária à Saúde Brazil: Healthcare Company Profile (10,000+ employees) - BR

Atenção Primária à Saúde Brazil forms the backbone of the Brazilian primary healthcare system, representing the first point of contact between citizens and the national public health network. This massive government infrastructure employs over 10,000 healthcare professionals, administrators, and technical staff across Brazil, providing essential medical services to millions of Brazilians daily.

The organization operates in the healthcare sector with a critical public health mission, managing considerable volumes of sensitive medical data, including patient records, treatment histories, pharmaceutical information, and epidemiological data. This central position within the Brazilian healthcare ecosystem gives the entity major strategic importance, not only for continuity of care but also for national epidemiological surveillance and public health policy planning.

Based in Brazil and deployed across all 26 states and the Federal District, Atenção Primária à Saúde Brazil's digital infrastructure interconnects thousands of health centers, community clinics, and local medical posts. This distributed architecture, while essential for ensuring access to care in a country of continental dimensions, also multiplies the potential attack surface and complicates the consistent implementation of robust cybersecurity measures.

The compromise of such an organization goes far beyond a typical cybersecurity incident, directly impacting national health sovereignty. The medical information managed by this infrastructure represents a prime target for cybercriminals, both for its market value on underground forums and for its potential for exploitation in identity fraud campaigns, extortion, or even health espionage. The potential operational disruption threatens access to care for vulnerable populations and could compromise essential public health programs.

Technical Analysis: Exposure Level

The incident affecting Atenção Primária à Saúde Brazil was classified at XC SIGNAL level according to our XC-Classify assessment protocol, indicating an early warning requiring increased monitoring but without immediate confirmation of a massive data breach. This level, established according to NIST criteria for confidentiality, integrity, and availability, suggests that the malicious actor claimed responsibility for the compromise without immediately publishing substantial evidence or significant volumes of exfiltrated files.

The exact nature of the potentially exposed digital assets remains under in-depth analysis by our CTI teams. In the context of a primary healthcare infrastructure of this scale, the data that may have been compromised typically includes electronic health records containing the identities, diagnoses, prescriptions, and treatment histories of millions of patients. This also potentially includes sensitive administrative information, human resources data for medical staff, financial information related to reimbursements and budget management, as well as operational data critical to the daily functioning of healthcare services.

The initial attack vector has not been publicly confirmed at this stage of the investigation. However, our analysis of the certified data suggests likely scenarios consistent with typical TTPs from nova and vulnerabilities commonly observed in Brazilian public healthcare infrastructures. Hypotheses include the exploitation of unpatched vulnerabilities in outdated medical management systems, the compromise of privileged accounts through phishing campaigns targeting administrative staff, or infiltration via insufficiently secured Remote Desktop Protocol (RDP) services.

The precise timeline of the intrusion remains uncertain, as is frequently the case in complex incidents targeting distributed infrastructures. The public claim, dated December 4, 2025, does not typically reflect the timing of the initial access, which often precedes the encryption and extortion phase by several weeks or even months. This latency period allows attackers to establish robust persistence, map the network environment, identify high-value assets, and methodically exfiltrate data before revealing their presence.

→ The XC SIGNAL level places particular emphasis on similar organizations in the Brazilian healthcare sector, which should consider this claim as a warning sign warranting an immediate review of their security posture and intrusion detection capabilities.

Conclusion

Impact on the Healthcare Sector: Risks and Regulations in Brazil