Quick Summary
Executive Summary
Transvill SRL, a company operating in the transportation and logistics sector in Peru, has been listed as a victim of the Nova ransomware group. The breach listing was published on June 24, 2026. Nova ransomware has shown a pattern of targeting organizations in the technology, manufacturing, and education sectors, with a significant concentration of victims in Peru, the United States, and Spain.
Technical Analysis
SOCRadar’s analysis indicates a severe exposure related to the transvill.com.pe domain, identified through stealer-log telemetry. This exposure includes corporate-employee credentials on the organization’s internal systems, credentials found on third-party services, and external or customer handles linked to the primary domain. Valued endpoints like internal cloud collaboration logins and an internal application portal were authenticated using these corporate credentials. The repeated and unrotated nature of corporate usernames across multiple URLs and timestamps suggests persistent access, with data lineage extending from February to June 2026, overlapping with the listing date. The primary access vector appears to be direct internal exposure. For ransomware groups like Nova, infostealer-harvested credentials are a common initial access method, where compromised credentials are used to gain access to Microsoft 365, VPNs, or remote-access portals before ransomware deployment. While not directly confirmed, the evidence strongly aligns with the typical cyber kill chain for such incidents. Recommended actions include immediate password resets, session revocations for affected accounts, endpoint forensics, and access-log audits.