Nova Ransomware Group Paralyzes University of Gävle in Targeted Cyberattack
Swedish university becomes latest European higher education victim in aggressive campaign by fast-rising Nova ransomware group
November 17, 2025
The University of Gävle (Högskolan i Gävle), a public institution serving more than 16,000 students and 700 staff in central Sweden, has been completely paralyzed by a sophisticated ransomware attack executed by the Nova ransomware group, marking one of the most disruptive incidents to hit Scandinavian academia this year.
The attack began in the early hours of Friday, November 15, 2025, when university IT staff noticed anomalous network behavior. Within hours, the situation escalated dramatically: file servers, virtual learning environments, email systems, research databases, library catalogs, and even campus Wi-Fi management portals were systematically encrypted. Students and faculty attempting to access resources were met with ransom notes bearing the Nova logo and a countdown timer.
By Saturday morning, the university declared a full digital campus shutdown, a measure rarely seen outside major hospital ransomware incidents. All internal systems remain offline as of Monday evening, forcing administrators to revert to paper-based processes for everything from attendance records to payroll.
Nova, a ransomware-as-a-service operation that emerged in mid-2025 and quickly gained notoriety for its speed and aggression, wasted no time claiming responsibility. Less than 24 hours after encryption began, the group updated its dark web leak site with a dedicated entry for the University of Gävle. Initial "proof packs" containing over 200 files were posted, including faculty payroll documents, student grade transcripts, research grant applications, and confidential emails between senior administrators.
The attackers have threatened to release an additional 1.8 terabytes of data, which they claim includes personal identification numbers (personnummer) of Swedish and international students, medical records from the campus health center, and proprietary research in nursing, engineering, and environmental sciences if the ransom is not paid within seven days.
"We have everything. Grades, health records, research that took years. Pay or watch it all go public. No negotiation, no extensions." - Excerpt from Nova's public statement on their leak site
The university, founded in 1977 and known for its strong programs in health, technology, and sustainable development, confirmed the breach in a carefully worded statement Sunday evening. Officials emphasized that they are working closely with the Swedish Civil Contingencies Agency (MSB), the Swedish Police Authority's National Cybercrime Center, and private incident response firms.
All lectures, seminars, and laboratory sessions scheduled for the entire week of November 17-21 have been canceled. Students in the final year of nursing, teaching, and engineering programs have been hit particularly hard, with thesis defenses and clinical placements thrown into uncertainty just weeks before the end-of-year deadline.
Immediate Impact Overview:
- Complete encryption of over 400 virtual servers and 1,200 endpoints
- Learning management system (Canvas) and student portal unavailable since November 15
- Email and Microsoft 365 environment fully offline
- Library systems and digital archives inaccessible
- All on-campus exams postponed indefinitely
- Research projects in energy systems and occupational health halted
- Payroll processing for November delayed
- Initial data samples already published on dark web
Preliminary forensic analysis suggests the attackers gained initial access through compromised credentials belonging to a third-party facilities management contractor. From there, they moved laterally across poorly segmented networks, eventually obtaining domain administrator privileges. The Nova payload was deployed in a coordinated wave shortly after midnight on Friday, completing encryption in under four hours, an indicator of highly automated tooling.
This incident continues a disturbing trend targeting Swedish higher education. In the past twelve months alone, Uppsala University, Lund University, and several university colleges have faced significant ransomware or data extortion attempts. Limited IT budgets, complex legacy environments, and reliance on external vendors have repeatedly been cited as contributing factors.
University leadership has explicitly stated it will not pay the ransom, aligning with recommendations from both Swedish and EU authorities. Restoration efforts are now focused on a combination of air-gapped backups and system rebuilds, though officials cautiously estimate that core services may remain disrupted for two to four weeks.
Students and staff have been instructed to treat all university-related passwords as compromised and to enable multi-factor authentication wherever possible. The Swedish Data Protection Authority (Integritetsskyddsmyndigheten) has been notified, and affected individuals will receive formal breach notifications in the coming days.
As Nova continues to add new victims at a rate of three to five organizations per week, cybersecurity experts warn that the group's professional infrastructure and double-extortion tactics make it one of the most dangerous emerging threats of late 2025. For the University of Gävle, the road to full recovery has only just begun.