Ransomware gang apologizes after affiliate hits Russian ally

Even ransomware cartels have rules, and breaking them can be a one-way ticket to a Russian gulag. That's the lesson learned by a now-banned affiliate of Nova, the affiliate program for the RAlord ransomware crew, after they accidentally infected Eriell Group, a major oilfield services company headquartered in Uzbekistan with a corporate office in Moscow. The blunder, flagged by threat hunter Dominic Alvieri as the "dumbass of the day," triggered an immediate apology from Nova and a promise to help Eriell recover "free of charge." The gang claimed no files were encrypted and pledged not to leak any stolen data. The affiliate has been permanently banned from the operation, according to sources cited by The Register. The incident underscores a critical unwritten rule in the cybercriminal underworld: never attack organizations in the Commonwealth of Independent States (CIS), a loose alliance of post-Soviet republics including Russia, Belarus, Kazakhstan, and Uzbekistan. "Apparently, the first rule of ransomware club, you don't attack organizations in the Commonwealth of Independent States (CIS), is still very much in effect in 2026," Recorded Future threat intelligence analyst Allan Liska told The Register. The rule exists because while cybercrime is technically illegal in Russia and other CIS countries, their governments often provide safe harbor for financially motivated criminals, especially those who also work as state-sponsored hackers. Local police typically look the other way, but only as long as the gangs avoid infecting in-country organizations. Hitting a local company risks losing that protection, which is why crews like DragonForce, VanHelsing, and LockBit explicitly prohibit their members from targeting Russian or CIS entities. For Nova, the stakes were existential: a single affiliate's mistake could have brought the full weight of Russian law enforcement down on the entire operation. The apology and ban were damage control, a move to preserve the gang's operational sanctuary. This isn't the first time cybercriminals have made dumb mistakes. Earlier this year, the Scattered Lapsus$ Hunters crew claimed they had gained "full access" to Resecurity's systems and stolen "everything." Resecurity later offered its "congratulations" to the crew, which had fallen into the threat intel team's honeypot, resulting in a subpoena being issued for one of the data thieves. Pro-Russian hacktivist crew CyberVolk got sloppy when they debuted a ransomware service late last year, hardcoding the master keys into executable files, allowing victims to recover data without paying. On the flip side, coding errors in Sicarii ransomware make recovery nearly impossible: the encryptor generates a new cryptographic key pair during every execution but discards the private key, meaning there's no recoverable master key. Similarly, a programming mistake in Nitrogen ransomware prevents the gang's decryptor from recovering victims' files, making paying up futile. For executives, this incident is a reminder that even the most sophisticated criminal operations are run by humans who make mistakes. Trellix VP of threat intel strategy John Fokker, who started publishing the Dark Web Roast to troll cybercriminals, told The Register: "These are just individuals, they just use computers, and they just want to steal your data and make money. They're not mythical. They don't have superpowers." The takeaway for CIS-based companies: if you are hit by ransomware, check whether the attackers have violated their own rules. A polite call to the gang might just get you a free decryptor and an apology. For companies outside the CIS, the lesson is different: the same gangs that spare Russian targets are happy to encrypt your data. The only difference is the geopolitical calculus, not the threat itself.