RSS

'Dumbass' criminal breaks the 'first rule of ransomware club'

Cider99861 pts0 comments

'Dumbass' criminal breaks the 'first rule of ransomware club'

Jump to main content

Search

REG AD

cyber-crime

'Dumbass' criminal breaks the 'first rule of ransomware club'

You don't infect anyone in Russia or other CIS countries

Jessica Lyons

Jessica<br>Lyons

Published<br>tue 2 Jun 2026 // 22:58 UTC

Even ransomware cartels make mistakes, and in this case, it was a biggie that could have landed the responsible crim in a Russian gulag: accidentally infecting a company located in a Commonwealth of Independent States country.<br>In what threat-hunter Dominic Alvieri deemed the ransom “dumbass of the day,” Nova, the affiliate program for ransomware crew RAlord, on Tuesday issued an apology to Eriell Group, a major oilfield services company with headquarters in Uzbekistan and a corporate office in Moscow.<br>Apparently, Eriell contacted Nova and notified the ransomware operators about an affiliate's mess-up.

REG AD

REG AD

The affiliate has since been banned from the criminal operation, we’re told. In addition to issuing a “formal apology,” the ransomware gang promised to assist Eriell with the recovery process “free of charge.” The malware slingers claimed they didn’t encrypt any files, and pledged not to leak any of the stolen data.<br>“Apparently, the first rule of ransomware club, you don't attack organizations in the Commonwealth of Independent States (CIS), is still very much in effect in 2026,” Recorded Future threat intelligence analyst Allan Liska told The Register.

MORE CONTEXT

Congrats, cybercrims: You just fell into a honeypot

Criminal wannabes even more dangerous than the pros, says ex-FBI cyber chief

3 more infamous cybercrime crews team up to 'maximize income' in 'challenging' ransomware biz

While cybercrime is technically illegal in Russia and other CIS countries, their governments often provide safe harbor for extortionists and other financially motivated crims - especially if they also happen to work day jobs as state-sponsored hackers - and local police look the other way unless the gangs infect any in-country organizations.<br>Some crews, like the DragonForce cartel, VanHelsing ransomware-as-a-service group, and notorious LockBit operators, expressly prohibit their gang members and affiliates from hitting Russian and other CIS targets.<br>We’re guessing that the Nova affiliate will be high up on all of these gangs’ do-not-hire lists for quite a while.<br>Still, they aren’t the first cybercriminal, Russian-speaking or otherwise, to make seriously dumb mistakes.

The first rule of ransomware club: You don't attack organizations in the Commonwealth of Independent States

Earlier this year, notorious data-leak-and-extortion crew Scattered Lapsus$ Hunters claimed they had gained "full access" to Resecurity's systems and stolen "everything." Resecurity later offered its "congratulations" to the cybercrime crew, which had fallen into the threat intel team's honeypot – resulting in a subpoena being issued for one of the data thieves.<br>Pro-Russian hacktivist crew CyberVolk got sloppy when they debuted a ransomware service late last year. They hardcoded the master keys - this same key encrypted all files on a victim's system - into the executable files, thus allowing victims to recover encrypted data without paying any extortion fees.

REG AD

While that mess-up worked in the victim orgs’ favor, another coding error committed by Sicarii malware developers makes it nearly impossible for companies to recover their files: the Sicarii encryptor generates a new cryptographic key pair during every execution - but then discards the private key, meaning there's no recoverable master key.<br>Similarly, a programming mistake in Nitrogen ransomware prevents the gang's decryptor from recovering victims' files, again making paying up futile.<br>Trellix VP of threat intel strategy John Fokker recently told us that he got so sick of seeing the security industry "glorifying threat actors,” that he and his team decided to troll the baddies, and started publishing the Dark Web Roast.<br>“These are just individuals, they just use computers, and they just want to steal your data and make money,” Fokker told The Register. “They're not mythical. They don't have superpowers." And just like any other individual - or superhero - they sometimes slip up, and give the rest of us a moment of snarky joy. ®

ralord<br>ransomware<br>security<br>cyber-crime<br>cis<br>nova

REG AD

SPONSORED LINKS<br>Building the New Trust Architecture for AI - June 4, 10am PT

cyber-crime

'Dumbass' criminal breaks the 'first rule of ransomware club'

You don't infect anyone in Russia or other CIS countries

SaaS

Contentful is a shot in the arm for Salesforce's 'headless' bet

Lacking an enterprise content layer for Headless 360, CRM titan went shopping

PARTNER CONTENT

AI and data sovereignty in Postgres: An answer to the datacenter energy crisis

A billion AI agents walk into a power grid

AI + ML

Trump's AI E-(I)-O could let feds pick winners and losers

Government gets a say in...

ransomware first criminal rule club data

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.