In one Twitter discussion last week on ransomware attacks, KrebsOnSecurity Noted that virtually all strains of ransomware have built-in security designed to cover the backs of malware vendors – they simply won’t install on a Microsoft Windows computer on which one of the many types of virtual keyboards is already installed, such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this weird cyber defense trick.
The Twitter thread was brought up during a discussion of the ransomware attack on Colonial Pipeline, which earlier this month shut down 5,500 miles of fuel lines for nearly a week, causing supply shortages at stations. nationwide service and driving up prices. the The FBI said the attack was the work of Dark side, a new ransomware-as-a-service offering that says it only targets large companies.
DarkSide and other lucrative Russian-language affiliate programs have long prevented their criminal associates from installing malware on computers in a multitude of Eastern European countries, including Ukraine and Russia. This ban dates back to the early days of organized cybercrime and aims to minimize the control and interference of local authorities.
In Russia, for example, local authorities will generally not open a cybercrime investigation against one of their own unless a company or individual within the country’s borders files a formal complaint as that victim. Making sure that no affiliate can claim victims in their own country is the easiest way for these criminals to stay off the radar of national law enforcement agencies.
Maybe feel the warmth of being reference in President Biden’s Executive Order on Cyber Security Last week, the DarkSide group sought to distance itself from its attack on Colonial Pipeline. In a post on his Shame on Victims blog, DarkSide attempted to say he was “apolitical” and unwilling to participate in geopolitics.
“Our goal is to make money, not to create problems for society,” DarkSide criminals wrote last week. “From today, we are introducing moderation and checking every business our partners want to cost to avoid social consequences in the future.”
But here’s the thing: Digital extortion gangs like DarkSide take great care in making all of their platforms geopolitical, as their malware is designed to only work in certain regions of the world.
DarkSide, like many other malware strains, has a hard-coded list of countries not to install that are major members of the Commonwealth of Independent States (CIS) – former Soviet satellites all of which currently have favorable relationships with the Kremlin. , including Azerbaijan, Belarus, Georgia, Romania, Turkmenistan, Ukraine and Uzbekistan. The complete exclusion list in DarkSide (published by Cybereason) is inferior to:
Simply put, countless strains of malware will check the system for the presence of any of these languages, and if detected, the malware will quit and not install itself.[Side note. Many security experts have pointed to connections between the DarkSide and REvil (a.k.a. “Sodinokibi”) ransomware groups. REvil was previously known as GandCrab, and one of the many things GandCrab had in common with REvil was that both programs barred affiliates from infecting victims in Syria. As we can see from the chart above, Syria is also exempted from infections by DarkSide ransomware. And DarkSide itself proved their connection to REvil this past week when it announced it was closing up shop after its servers and bitcoin funds were seized.]
Will installing any of these languages protect your Windows computer from all malware? Absolutely not. There is a lot of malware out there that doesn’t care where in the world you are. And there is no substitute for adopting a defense-in-depth stance and avoiding risky behavior online.
But is there really a downside to taking this simple, free prophylactic approach? None that I can see, except maybe a gloomy sense of surrender. The worst that can happen is that you accidentally toggle the language settings and all of your menu options are in Russian.
If this happens (and the first time the experience can be a bit jarring), press the Windows key and the space bar at the same time; if you have more than one language installed, you will see the option to quickly switch between them. The little box that appears when you hit this keyboard combo looks like this:
Cybercriminals are notoriously susceptible to defenses that reduce their bottom line, so why wouldn’t bad guys just turn things around and start ignoring proofreading? Well they sure can and maybe even will (a recent version of DarkSide analyzed by Mandiant did do not perform the system language check).
But it increases the risk to their personal security and wealth by a not insignificant amount, said Allison Nixon, director of research at the New York-based cyber investigation firm Unit221B.
Nixon said that due to Russia’s unique legal culture, criminal hackers in that country use these controls to ensure that they only attack victims outside of the country.
“It’s for their legal protection,” Nixon said. “Installing a Cyrillic keyboard, or changing a specific registry entry to say ‘RU’ etc., may be enough to convince malware that you are Russian and banned. This can technically be used as a “vaccine” against Russian malware. “
Nixon said that if enough people did so in large numbers, it might in the short term protect some people, but more importantly, in the long term, it forced Russian hackers to make a choice: risk losing legal protections or risking risk. to lose income.
“Essentially, Russian hackers will end up facing the same difficulty that Western defenders face – the fact that it is very difficult to tell the difference between a home machine and a foreign machine masquerading as a home machine.” , she said.
KrebsOnSecurity asked Nixon’s colleague at Unit221B – founder Lance James – what he thought of the effectiveness of another anti-malware approach suggested by Twitter followers who participated in last week’s discussion: adding entries to the Windows registry that specify that the system is running as as virtual machine (VM). In an effort to block scanning by antivirus and security companies, some malware authors have traditionally configured their malware to stop installation if it detects that it is running in an environment. virtual.
But James said this ban is no longer as common, especially as many organizations have switched to virtual environments for everyday use.
“Being a virtual machine doesn’t prevent malware like it used to be,” James said. “In fact, a lot of the ransomware we’re seeing right now is running on VMs.”
But James says he likes the idea of everyone adding a language from the CIS countries list so much that he produced his own. two-line clickable Windows batch script which adds a Russian language reference in specific Windows registry keys which are checked for malware. The script effectively allows a Windows PC to look like a Russian keyboard is installed without downloading Microsoft’s added script libraries.
To install a different keyboard language on an old-fashioned Windows 10 computer, press the Windows key and X at the same time, then select Settings, then select “Time & language.” Select Language then scroll down and you should see an option to install another character set. Choose one and the language should be installed the next time you restart. Again, if for some reason you need to switch between languages, Windows + Spacebar is your friend.