Ransomware Affiliate Banned After Accidentally Targeting Russian-Aligned Firm
A ransomware affiliate known as Nova has been banned from its operation after mistakenly targeting Eriell Group, an oilfield services company with significant ties to Russia and Uzbekistan.
In a rare display of adherence to unwritten cybercriminal codes, the ransomware affiliate program Nova has formally apologized and banned one of its operators for targeting Eriell Group, a major oilfield services company with headquarters in Uzbekistan and a corporate office in Moscow. The incident highlights a long-standing, albeit informal, rule among some ransomware gangs: avoid attacking organizations within Commonwealth of Independent States (CIS) countries.
Eriell Group reportedly contacted Nova directly to report the affiliate's misstep. In response, Nova issued a "formal apology" and promised free recovery assistance to Eriell, claiming that no files were encrypted and no data was exfiltrated. The affiliate responsible has been permanently banned from the Nova operation, signaling a swift and decisive internal consequence for violating this sensitive operational boundary.
This incident underscores the complex geopolitical landscape that even cybercriminals navigate. While ransomware operations are illegal in Russia and other CIS nations, their governments often turn a blind eye to financially motivated cybercrime, particularly if it does not target domestic entities. This tacit tolerance creates a de facto safe harbor, but it comes with the implicit understanding that attacking local businesses or those closely aligned with state interests is strictly off-limits.
Several prominent ransomware groups, including DragonForce, VanHelsing, and LockBit, explicitly prohibit their affiliates from targeting Russian or other CIS-based organizations. This policy is likely in place to avoid drawing unwanted attention from national law enforcement or intelligence agencies, which could disrupt their operations or lead to the extradition of their members.
The Nova affiliate's mistake serves as a cautionary tale. By failing to respect this critical, unwritten rule, the affiliate not only jeopardized their own standing within the Nova program but also risked broader repercussions for the entire ransomware operation. It's a stark reminder that even in the shadowy world of cybercrime, there are lines that, when crossed, carry significant consequences.
This incident also follows a pattern of cybercriminals making significant errors. Previously, the Scattered Lapsus$ Hunters fell into a honeypot set by Resecurity, leading to legal action. The CyberVolk crew hardcoded master keys into their ransomware, allowing victims to decrypt files for free. Conversely, other groups like Sicarii and Nitrogen have introduced coding errors that prevent victims from recovering their data, rendering ransom payments futile.
John Fokker, VP of threat intelligence strategy at Trellix, has previously commented on the tendency to mythologize threat actors, emphasizing that they are often just individuals prone to mistakes. The Nova affiliate's blunder, while potentially serious for the individual involved, provides a moment of dark humor and reinforces the idea that even sophisticated criminal enterprises are not immune to basic operational errors.
The swift action taken by Nova against its affiliate demonstrates a pragmatic approach to risk management. By quickly addressing the breach of protocol and offering remediation, Nova likely aimed to contain the damage, appease Eriell Group, and signal to other affiliates the importance of adhering to operational guidelines, particularly those concerning geopolitical sensitivities.