Full Report
You don't infect anyone in Russia or other CIS countries
Analysis Summary
# Threat Actor: RAlord (Nova Affiliate Program)
## Attribution & Identity
* **Primary Actor:** **RAlord** (Ransomware crew)
* **Associated Program:** **Nova** (RAlord’s affiliate program)
* **Actor Type:** Ransomware-as-a-Service (RaaS) operator.
* **Known Associations:** Operated via affiliates. The article notes that Russian-speaking cybercrime groups (such as LockBit, Conti, and REvil) historically follow similar non-aggression pacts regarding CIS territories.
## Activity Summary
In June 2026, an affiliate of the Nova/RAlord program breached and attempted to extort **Eriell Group**. Upon discovering the victim was based in Uzbekistan and Moscow (CIS regions), Nova issued a formal public apology, banned the responsible affiliate, and offered free recovery assistance. This incident highlights the strict adherence to "safe harbor" rules to avoid Russian/CIS law enforcement retaliation.
## Tactics, Techniques & Procedures
* **Data Exfiltration:** Stealing sensitive corporate data for extortion purposes.
* **Encryption Bypass (Claimed):** In this specific instance, the group claimed they did not execute encryption after realizing the victim's location.
* **Affiliate Governance:** Use of an affiliate program (Nova) where third-party "contractors" carry out the initial access and deployment.
* **Diplomatic Recovery:** Providing decryption tools and "formal apologies" to victims in protected regions to mitigate legal/political blowback for the core developer group.
## Targeting
* **Sectors:** Oilfield services, energy.
* **Geography:** Global (excluding CIS countries).
* **Victims:** **Eriell Group** (an oilfield services company with headquarters in Uzbekistan and offices in Moscow).
## Tools & Infrastructure
* **Malware:** Nova/RAlord Ransomware.
* **Communication:** Twitter/X and Dark Web leak sites (referenced via social media handles such as `@AlvieriD` and `@ido_cohen2`).
* **Ancillary Mentions:** The article also references unrelated flaws in other groups' tools (e.g., **NoName057(16)**'s hardcoded keys and **Sicarii**'s discarded private keys).
## Implications
* **Geopolitical Safe Harbors:** The "First Rule of Ransomware Club"—not infecting Russia or Commonwealth of Independent States (CIS) members—remains a critical boundary for cybercriminals seeking to avoid domestic prosecution.
* **Operational Risk:** Affiliates who fail to conduct proper due diligence on targets risk being banned from major RaaS platforms, as their actions draw unwanted heat to the core developers.
* **De-mystification of Actors:** The incident reinforces the "Dark Web Roast" perspective: these actors are prone to human error, administrative blunders, and internal policy enforcement similar to legitimate businesses.
## Mitigations
* **Geographic Risk Assessment:** Organizations with branch offices in the CIS region should be aware that while they may be protected by the "first rule" of some gangs, they may still fall victim to "accidental" infections or less-disciplined actors.
* **Data Protection:** Implementation of robust offline backups to counter encryption.
* **Exfiltration Defense:** Focus on egress filtering and Data Loss Prevention (DLP) to identify and stop data theft, as several mentioned groups (like Scattered Lapsus$ Hunters) focus more on data theft than encryption.
* **Vulnerability Management:** Regular patching of external-facing infrastructure to prevent the initial access exploited by RaaS affiliates.