Home > Security > Security News

RAlord Affiliate Banned for Breaking CIS Ransomware Rule, Infecting Eriell Group

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Affiliate Removed After Crossing a Restricted CIS Boundary
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • CIS Rule Violated: Nova, the affiliate program for RAlord, accidentally infected Eriell Group, breaking the unwritten rule against targeting CIS organizations.
  • Affiliate Consequences: The responsible affiliate was reportedly banned from the criminal operation following the incident.
  • Formal Apology Issued: Nova promised free recovery assistance and pledged not to leak any stolen data from Eriell Group.

Nova, the affiliate program for ransomware crew RAlord, issued a formal apology to Eriell Group after one of its affiliates infected the company. Eriell Group is a major oilfield services company headquartered in Uzbekistan and with a corporate office in Moscow. 

The incident drew immediate attention in the threat intelligence community, with threat-hunter Dominic Alvieri calling it the ransom "dumbass of the day."

The First Rule of Ransomware Club

The attack violated what Dominic Alvieri described as the "first rule of ransomware club," which is never to infect organizations in Russia or other Commonwealth of Independent States (CIS) countries. 

Nova hackers apologize to Eriell Group | Source: Dominic Alvieri on X
Nova hackers apologize to Eriell Group | Source: Dominic Alvieri on X

Eriell Group allegedly contacted Nova directly, notified the operators of the affiliate's mistake, and reportedly banned the responsible affiliate from the criminal operation. Nova issued a formal apology, offered to assist Eriell with the recovery process free of charge, claimed it did not encrypt any files, and pledged not to leak any stolen data.

Ransomware cartels, including the Medusa ransomware group, DragonForce, and LockBit, expressly prohibit their members and affiliates from targeting Russian and other CIS organizations.

A Pattern of Criminal Errors

The incident adds to a growing list of operational failures among ransomware and cybercrime groups. In early 2026, Scattered Lapsus$ Hunters fell into a Resecurity honeypot, and an INC Ransom backup server security failure enabled 12 US companies to recover their data.

In late 2025, researchers discovered a major security failure that exposed LockBit 5.0 infrastructure details, including a key IP address and domain. 

In July 2024, the Brain Cipher ransomware gang offered the key and apologized after hitting the Indonesian government.

Add a Comment
Related
WeedHack Malware Infects 116,000+ Minecraft Systems via Fake Mods
Spain Police Arrests Suspect in Massive Doxing Campaign Against State Officials
Man - Laptop - Cloud - Warning - Password - Security
Dashlane Discloses Brute-Force Attack Bypassing 2FA Protocols
Malware Target
Over 30 Red Hat npm Packages Compromised by Shai-Hulud Malware Variant
Instagram Patches Meta AI Support Assistant Hijacking Vulnerability
Massive 17-Million Device Botnet in the Netherlands Dismantled in a Police and NCSC Joint Operation 
Most Popular
WeedHack Malware Infects 116,000+ Minecraft Systems via Fake Mods
New Identity Battleground: Attackers Don’t Need to Break MFA, they Just Need a Help Desk
California Social Media Ban Bill Moves to State Senate
California Bill Seeking to Ban Social Media Accounts for Under-16s Advances to State Senate
X-VPN No-Logs Audit Verifies Privacy and Data Practices
X-VPN Completes Independent No-Logs Audit, Confirms Privacy Practices Through Third-Party Review
Spain Police Arrests Suspect in Massive Doxing Campaign Against State Officials
When Your Phone is Subscribed Without Consent, the Attack Has Already Worked
WeedHack Malware Infects 116,000+ Minecraft Systems via Fake Mods
New Identity Battleground: Attackers Don’t Need to Break MFA, they Just Need a Help Desk
California Bill Seeking to Ban Social Media Accounts for Under-16s Advances to State Senate
X-VPN Completes Independent No-Logs Audit, Confirms Privacy Practices Through Third-Party Review
Spain Police Arrests Suspect in Massive Doxing Campaign Against State Officials
When Your Phone is Subscribed Without Consent, the Attack Has Already Worked

Most Popular
WeedHack Malware Infects 116,000+ Minecraft Systems via Fake Mods
New Identity Battleground: Attackers Don’t Need to Break MFA, they Just Need a Help Desk
California Social Media Ban Bill Moves to State Senate
California Bill Seeking to Ban Social Media Accounts for Under-16s Advances to State Senate
X-VPN No-Logs Audit Verifies Privacy and Data Practices
X-VPN Completes Independent No-Logs Audit, Confirms Privacy Practices Through Third-Party Review
Spain Police Arrests Suspect in Massive Doxing Campaign Against State Officials
When Your Phone is Subscribed Without Consent, the Attack Has Already Worked
WeedHack Malware Infects 116,000+ Minecraft Systems via Fake Mods
New Identity Battleground: Attackers Don’t Need to Break MFA, they Just Need a Help Desk
California Bill Seeking to Ban Social Media Accounts for Under-16s Advances to State Senate
X-VPN Completes Independent No-Logs Audit, Confirms Privacy Practices Through Third-Party Review
Spain Police Arrests Suspect in Massive Doxing Campaign Against State Officials
When Your Phone is Subscribed Without Consent, the Attack Has Already Worked

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: