Quick Summary
Executive Summary
transvill, a transportation and logistics organization based in Romania, has been listed as a victim on the Nova ransomware group’s dark web portal, published on June 24, 2026. The listing was identified through SOCRadar’s Dark Web Monitoring service. While the organization’s domain is transvill.ro, the listing appears on the same date as a separate Nova listing for Transvill SRL in Peru. CTI teams should treat these as distinct listings affecting different entities.
Technical Analysis
In the 60 days prior to this listing, Nova has claimed approximately 43 other victims, with a targeting pattern observed in the technology, manufacturing, and education sectors, and victims concentrated in Peru, the United States, and Spain. Related logistics/transportation entities recently listed by Nova include Transvill SRL, FTL-Fast Transit Line, and Alexandria. Initial access was investigated using SOCRadar’s stealer-log telemetry. No records were found for transvill.ro. However, a null result does not confirm the absence of a breach, as credentials might have been harvested under personal email aliases, indexed against an alternate domain, or surfaced in feeds outside the dataset. Notably, the related Peruvian domain (transvill.com.pe) showed severe exposure in the same telemetry. CTI teams should continue monitoring and implement proactive credential hygiene checks. For ransomware groups like Nova, infostealer-harvested credentials are a common initial access vector. Operators source logs from underground marketplaces, validate corporate credentials, and use them for unauthorized access before deploying ransomware. The absence of evidence in this specific query does not rule out this scenario.