A gang's public apology to an Uzbekistan oilfield company it mistakenly hit reveals the internal rules and consequences that govern the ransomware ecosystem.

 

What happened

Nova, the affiliate program for the RAlord ransomware group, issued a formal public apology on June 2, 2026, after one of its affiliates attacked Eriell Group, a major oilfield services company headquartered in Uzbekistan with a corporate office in Moscow. According to The Register, Eriell contacted Nova directly to report the mistake, the responsible affiliate was immediately banned from the operation, and Nova promised to assist Eriell with recovery free of charge. The gang claimed no files were encrypted and pledged not to leak any stolen data. The incident prompted threat hunters to remind attackers of an unwritten rule within the ransomware ecosystem: never attack organizations in Russia or other Commonwealth of Independent States countries.

 

Going deeper

The CIS no-target rule is not a courtesy, it is a survival mechanism. Russian and other CIS governments provide a de facto safe harbor to ransomware operators, tolerating financially motivated cybercrime against foreign targets as long as domestic organizations are left alone. The moment a gang or affiliate attacks a CIS-based company, that protection evaporates, and local law enforcement becomes an active threat. According to The Register, several major operations, including DragonForce, VanHelsing, and LockBit, expressly prohibit their affiliates from targeting Russian and CIS organizations in their operational rules. Nova's swift response, apology, free recovery assistance, and affiliate ban were damage control directed at maintaining the group's standing with the Russian-speaking criminal ecosystem and the implicit government tolerance that protects it.

 

What was said

Allan Liska, threat intelligence analyst at Recorded Future, told The Register that "the first rule of ransomware club, you don't attack organizations in the Commonwealth of Independent States, is still very much in effect in 2026." John Fokker, VP of threat intelligence strategy at Trellix, recently told The Register that the security industry risks "glorifying threat actors" by treating them as mythical adversaries: "These are just individuals, they just use computers, and they just want to steal your data and make money. They're not mythical. They don't have superpowers."

 

In the know

Operational mistakes in the ransomware ecosystem are more common than the polished branding of major groups suggests. Earlier in 2026, the Scattered Lapsus$ Hunters group claimed it had breached threat intelligence firm Resecurity and stolen everything, only to learn it had walked into a honeypot, resulting in a subpoena being issued for one of the data thieves. CyberVolk hardcoded the same encryption key into all its ransomware executables, allowing victims to recover files without paying. The Sicarii encryptor generates a new cryptographic key during every execution, then discards the private key, making recovery impossible even for victims who pay. According to The Register, a programming error in Nitrogen ransomware similarly makes its decryptor non-functional, rendering ransom payment futile.

 

The big picture

The Nova incident is a useful reminder that ransomware groups are businesses with internal rules, affiliate management problems, quality control failures, and reputational concerns, not monolithic technical threats operating with perfect discipline. For healthcare organizations, that framing matters in two ways. First, the rules these groups follow have no meaningful carve-out for hospitals, clinics, or patient safety. Groups like Kill Security claim that attacking healthcare requires special administrator approval, yet continue to be highly active in targeting it. Healthcare is a preferred target precisely because operational disruption creates maximum pressure to pay quickly. Second, the ecosystem's self-policing exists entirely to protect criminal operators from law enforcement, not to protect victims. RaaS programs enforce rules like no attacks on CIS countries and no repeat attacks on paying victims by banning affiliates who violate them. An affiliate that mistakenly hits a CIS company gets removed immediately. Healthcare restrictions, where they exist at all, are inconsistently observed; an affiliate that encrypts a pediatric hospital's systems faces no equivalent consequence within the ecosystem.

 

FAQs

Why do ransomware groups prohibit attacks on CIS countries?

Most major ransomware operations are run by Russian-speaking actors who rely on Russian and allied governments looking the other way while they attack foreign targets. That implicit protection disappears the moment domestic organizations are hit. The CIS no-target rule is self-preservation, not ethics.

 

What does a ransomware affiliate program actually look like?

Affiliate programs are the operational structure through which most ransomware attacks occur. The core group develops and maintains the ransomware, the leak site, and the negotiation infrastructure. Affiliates are independent operators who conduct the actual attacks in exchange for a share of ransom payments, typically 70% to 80%. The core group sets the rules, affiliates execute the attacks.

 

What happens when an affiliate breaks the rules?

Consequences are purely reputational and commercial. A banned affiliate loses access to the ransomware platform and the core group's infrastructure but faces no legal consequence from within the ecosystem. The rapid response by Nova's apology, free recovery, and public ban shows the group's interest in maintaining credibility with the criminal community and the governments that tolerate them, not any concern for the victim.

 

Why do coding errors in ransomware sometimes help victims?

Ransomware development is software development, and software has bugs. Groups that rush to market or use inexperienced developers produce flawed encryption implementations. When the decryptor does not work, or the master key is hardcoded or discarded, victims who pay receive nothing in return, and researchers who discover the flaw can sometimes build free decryption tools before the group patches the error.

 

Does understanding the ransomware ecosystem's internal structure help healthcare organizations defend themselves?

Knowing that affiliate-based operations have inconsistent quality control, that groups do make mistakes, and that external pressure from law enforcement disrupts operations helps security teams understand why threat intelligence and rapid response matter. A group under law enforcement pressure makes more mistakes. An affiliate operating outside sanctioned targeting rules is more likely to be sloppy. Neither reduces the probability of an attack, but both affect how an attack unfolds once it begins.