Attack alert: nova targets Novabio (france laboratories) - FR

Introduction

The ransomware attack that struck Novabio (France Laboratories) in early December 2025 illustrates the persistent vulnerability of the healthcare sector to cyber threats. This French medical testing laboratory, employing between 10 and 50 people and with an estimated turnover of between 2 and 5 million euros, was compromised by Nova, a ransomware group operating on the RaaS (Ransomware-as-a-Service) model. Classified as SIGNAL level according to our XC-Classify protocol, this intrusion potentially exposes sensitive health data, biological results, and confidential patient information. The incident, discovered on December 10, 2025, is part of a worrying trend of attacks targeting medium-sized medical facilities in France.

The situation is all the more critical given that Novabio, founded in 2008, handles some of the most sensitive data as defined by the GDPR on a daily basis. The compromise of a medical testing laboratory raises major issues for both patient confidentiality and the continuity of healthcare services. → Understanding XC criticality levels helps contextualize the severity of this incident within the current cyber threat landscape.

Analyse détaillée

This attack occurs in a climate where French healthcare facilities are facing a surge in cyberattacks. Medical testing laboratories, often less well-equipped with cybersecurity resources than large hospitals, are becoming prime targets for malicious actors seeking to monetize highly sensitive medical data.

nova represents the evolution of a known malicious actor within the cybercriminal ecosystem. This group is actually a rebrand of RALord, a common ransomware tactic allowing operators to distance themselves from a tarnished reputation or evade government surveillance. Currently active and operating under the Ransomware-as-a-Service (RaaS) model, Nova rents its malicious infrastructure to affiliates who conduct attacks for a share of the ransom.

The RaaS model democratizes access to cyber extortion tools, enabling even cybercriminals with limited technical skills to conduct sophisticated campaigns. Nova provides its affiliates with the malware, command and control infrastructure, and negotiation and payment mechanisms in exchange for a substantial percentage of the ransoms collected.

While the specific technical details of the attack against Novabio are still being analyzed, ransomware groups targeting the healthcare sector typically favor initial intrusion vectors such as targeted phishing, exploiting unpatched vulnerabilities in exposed systems, or compromising privileged accounts through brute-force attacks. Once initial access is gained, attackers deploy lateral movement techniques to map the network and identify critical digital assets.

The double extortion strategy, now standard in the ransomware industry, combines data encryption with prior exfiltration. This approach maximizes the pressure on victims: even if backups allow for system restoration, the threat of publication of the stolen information remains. → Full analysis of the nova group offers a detailed overview of the tactics, techniques, and procedures (TTPs) employed by this cybercriminal collective.

Novabio (France Laboratories) has been operating in the highly regulated medical testing sector in France since 2008. With a staff of between 10 and 50 employees, this laboratory represents the typical profile of the mid-sized healthcare facilities that form the backbone of the French healthcare system. Its estimated revenue of between 2 and 5 million euros demonstrates sustained activity serving patients and healthcare professionals.

The very nature of Novabio's business involves the daily handling of highly personal health data: blood test results, genetic tests, disease screenings, and medical histories. This information, protected by medical confidentiality and the GDPR, constitutes a digital asset that is particularly coveted on the black market. Health data can be exploited for medical identity theft, insurance fraud, or targeted blackmail.

The organization, accessible via its website https://www.novabio.fr, is part of a network of partners including prescribing physicians, healthcare facilities, and reference laboratories. This interconnectedness, essential for the smooth functioning of the patient care pathway, also creates extensive attack surfaces. Compromising one link in this chain can potentially affect the entire ecosystem.

For an organization of this size, cybersecurity resources are often limited in the face of the increasing sophistication of threats. Medical testing laboratories must juggle investments in cutting-edge medical equipment, strict regulatory compliance, and information system protection, often within a constrained budgetary environment.

The SIGNAL exposure level, as determined by our XC-Classify protocol, indicates that data related to this breach has been detected and certified on our platform. While granular details on the exact volume of exfiltrated information are not yet publicly available, the very nature of Novabio's business allows us to anticipate the categories of data potentially affected.

Medical testing laboratories typically maintain databases containing patients' full identities (name, surname, date of birth, social security number), their contact information, medical prescription history, detailed results of laboratory tests, and sometimes information on diagnosed pathologies. The exposure of such information constitutes a major breach of privacy and medical confidentiality.

Our analysis of verified data reveals that the incident was discovered on December 10, 2025, which is recent. The precise timeline between the initial intrusion, data exfiltration, and encryption remains to be established. Ongoing forensic investigations should allow us to reconstruct the complete attack chain and identify any vulnerabilities that were exploited.

The likely modus operandi follows the classic pattern of ransomware attacks against the healthcare sector: initial network reconnaissance, privilege escalation, disabling of security solutions, discreet exfiltration of sensitive data over several days or weeks, and then rapid deployment of the ransomware to maximize the element of surprise. Attackers typically prefer weekends or periods of low surveillance for the final encryption phase.

The impact on individuals whose medical data may have been compromised includes risks of medical identity fraud, exploitation of health information for targeted blackmail, and a lasting violation of their privacy. Unlike financial information, health data cannot be "changed" and retains its value over the long term for malicious actors.

The Novabio breach is part of an alarming trend of attacks specifically targeting the healthcare sector in France and Europe. This sector presents a combination of factors that make it particularly vulnerable: highly sensitive and monetizable data, often aging IT systems, limited cybersecurity budgets, and a zero-tolerance policy for service interruptions that endanger lives.

In France, the applicable regulatory framework is particularly strict. The GDPR imposes enhanced security and notification obligations on those responsible for processing health data. Novabio theoretically has 72 hours after discovering a breach to notify the CNIL (French Data Protection Authority), and must directly inform the individuals concerned if the breach presents a high risk to their rights and freedoms.

Conclusion

The NIS2 directive, whose transposition into French law is nearing completion in 2025, further strengthens cybersecurity requirements for healthcare entities deemed essential or critical. Medical testing laboratories, depending on their size and criticality, could face increased obligations regarding risk management, incident notification, and operational resilience. → Other attacks in the Healthcare sector documents the scale of the phenomenon and similar precedents.