A New Phase in Ransomware? Criminals Break Their Own Rules
What we can learn from the data extortion of Clinical Diagnostics Medical Lab
By: Pim Takkenberg, Director at Northwave Cyber Security
With the ongoing attack on Clinical Diagnostics, a Dutch medical lab, by the Nova ransomware group, we are seeing a concerning new development in cyber extortion tactics. I recently spoke with several Dutch news journalists about the cyberattack and what organisations and cyber security professionals can learn from this case.
A Troubling Extortion Escalation
Clinical Diagnostics was attacked by Nova in July. The group first encrypted systems and stole sensitive medical data. Initially, ransom was paid in exchange for preventing the stolen data’s release.
But this week, Nova returned with a second ransom demand of at least 11 Bitcoin (± €1.1 million), to be paid within 11 days. The group claims the medical lab broke an agreement by involving the police. This doubling up on the ransom demand is a departure from the usual “code of conduct” professional ransomware groups have traditionally followed.
In another bizarre twist in this case, one day later a person who identified themselves as the “president of Nova” posted this message in Cyrillic for Clinical Diagnostics on their data leak site:
As you know, we are usually open to dialogue, I am focused solely on the attacks - I am the one who attacked your company, As president of Nova, I demand your appearance to discuss the situation, I have not negotiated with you, but I am aware of your low offer for the task force, I agreed to this price because there was no evidence of police intervention, Come and contact us personally - I will see you myself, Do not send anyone else: the responsible representative must negotiate, Don't worry, we will not disclose patient data due to the laws of the progra Session ID (Admin online) : 054f55ec93aca9bac362b9d91eff36a7ce451e7caba47c0b2e004ba429f9529c79 , Let's talk as responsible people with responsible people and see what we can achieve through dialog, Since I am on vacation I will be free from now until September 1.
This unusual development is further evidence of how cyber extortion methods are becoming less predictable and even more troubling for victims.
Why This Trend Matters
Traditionally, ransomware groups followed a clear playbook:
1. Encrypt company systems
2. Demand ransom for the decryption key
3. Honour the deal if paid, to maintain credibility
Over time, as companies improved their back-ups, attackers changed tactics. They began stealing sensitive data before encrypting systems, using the threat of exposure as extra leverage. Additionally, in recent years there have been many disruptions in the ransomware ecosystem from global law enforcement takedowns and Russia’s invasion of Ukraine. As detailed in Northwave’s 2025 Global Threat Landscape report, many new ransomware gangs have entered the scene–including Nova–that are less experienced and less reliable than their predecessors.
We are seeing a new phase: criminals breaking their own promises, asking for more even after payment. Not even the “guarantee” of silence is certain anymore. On the other hand, even in the criminal underworld, brand reputation is important. So far, Northwave has observed this untrustworthy behaviour among Russian-affiliated ransomware groups. When groups like Nova are unreliable in their business dealings, victims may become less willing to pay high ransom demands to Russian-speaking threat actors–or pay at all. As a result, we could see less money flowing into Russia’s state-sponsored cyber operations, which stands to benefit defenders.
What We Can Learn From the Nova Case
Dutch police advise: “Never pay cybercriminals during a ransomware attack. You keep their business model alive, and there is no guarantee your data will be safe.”
Yet many companies still do pay. Why? Think of it like a kidnapping; you would be more than willing to pay to get your loved one back. Only this time, it’s not people but data being held hostage. Refusing to pay can mean that highly sensitive information is published online. That brings risks far beyond the company itself. Cybercriminals know this all too well. Northwave often sees cases where ransomware criminals describe in great detail what's on the line for organisations and their customers when personal data is leaked:
- Personal finances: employees and customers risk identity theft, unauthorised loans, financial losses, and fraud
- Physical safety: exposure of employees' home addresses or daily routines add risk of harm or intimidation
- Market position: accounting files, documents, and audits can give competitors invaluable insights for a competitive advantage
- Compliance: regulatory entities may penalise the company with hefty fines and stakeholder trust can be (further) damaged
However, the Nova case reveals how ransomware cybercriminals are continuously adapting their methods and paying ransom is never a reliable solution. For companies, the implications are clear:
- Strengthen defences to prevent breaches in the first place.
- Prepare for extortion scenarios with clear incident response and communication strategies.
- Always involve law enforcement, despite criminal threats to the contrary.
- Get support from experienced ransomware negotiators.
How Northwave Can Help
Northwave's Incident Response team (NW-CERT) handles cyber crises and attacks on a daily basis. Ransomware comprises around 30% of incidents we respond to. Our professional negotiators know these criminal groups and are tuned in to their shifting tactics. Above all, we want to prevent these attacks because we know the implications they have, not only on an organisation's bottom line, but on human lives.
If you want to talk more about how to strengthen your organisations defences against emerging cyber threats, do not hesitate to get in touch with me or my colleagues at Northwave.
You can get more insights from Pim on this case in his interviews (in Dutch) with several media organisations by following these links:
- Hackersgroep Nova wil geen losgeld meer van gehackte Clinical Diagnostics – BNR Radio, 21 augustus 2025
-
Podcast De Dag: onderhandelen met hackers – NPO Radio 1, 19 august 2025
- Hoe onderhandel je met cybercriminelen op het dark web – RTL Nieuws, 18 augustus 2025
- RTL Nieuws 19:30 Uur (vanaf 08:00) – RTL Nieuws, 18 augustus 2025
- Betaal niet aan cybercriminelen – waarom doen bedrijven dat toch? – NOS, 18 augustus 2025
- NOS Journaal 20:00 Uur (vanaf 08:00) – NOS, 18 augustus 2025
- Nieuws en Co (vanaf 13:42) – NPO Radio 1, 18 augustus 2025
- The Daily Move (vanaf 01:47:10) – BNR Nieuwsradio, 18 augustus 2025
We are here for you