May 17, 2021

In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick.

The Commonwealth of Independent States (CIS) more or less matches the exclusion list on an awful lot of malware coming out of Eastern Europe.

The Twitter thread came up in a discussion on the ransomware attack against Colonial Pipeline, which earlier this month shut down 5,500 miles of fuel pipe for nearly a week, causing fuel station supply shortages throughout the country and driving up prices. The FBI said the attack was the work of DarkSide, a new-ish ransomware-as-a-service offering that says it targets only large corporations.

DarkSide and other Russian-language affiliate moneymaking programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia. This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities.

In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country’s borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies.

Possibly feeling the heat from being referenced in President Biden’s Executive Order on cybersecurity this past week, the DarkSide group sought to distance itself from their attack against Colonial Pipeline. In a message posted to its victim shaming blog, DarkSide tried to say it was “apolitical” and that it didn’t wish to participate in geopolitics.

“Our goal is to make money, and not creating problems for society,” the DarkSide criminals wrote last week. “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

But here’s the thing: Digital extortion gangs like DarkSide take great care to make their entire platforms geopolitical, because their malware is engineered to work only in certain parts of the world.

DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that mostly have favorable relations with the Kremlin. The full exclusion list in DarkSide (published by Cybereason) is below:

Image: Cybereason.

Simply put, countless malware strains will check for the presence of one of these languages on the system, and if they’re detected the malware will exit and fail to install.

[Side note. Many security experts have pointed to connections between the DarkSide and REvil (a.k.a. “Sodinokibi”) ransomware groups. REvil was previously known as GandCrab, and one of the many things GandCrab had in common with REvil was that both programs barred affiliates from infecting victims in Syria. As we can see from the chart above, Syria is also exempted from infections by DarkSide ransomware. And DarkSide itself proved their connection to REvil this past week when it announced it was closing up shop after its servers and bitcoin funds were seized.]

CAVEAT EMPTOR

Will installing one of these languages keep your Windows computer safe from all malware? Absolutely not. There is plenty of malware that doesn’t care where in the world you are. And there is no substitute for adopting a defense-in-depth posture, and avoiding risky behaviors online.

But is there really a downside to taking this simple, free, prophylactic approach? None that I can see, other than perhaps a sinking feeling of capitulation. The worst that could happen is that you accidentally toggle the language settings and all your menu options are in Russian.

If this happens (and the first time it does the experience may be a bit jarring) hit the Windows key and the space bar at the same time; if you have more than one language installed you will see the ability to quickly toggle from one to the other. The little box that pops up when one hits that keyboard combo looks like this:

Cybercriminals are notoriously responsive to defenses which cut into their profitability, so why wouldn’t the bad guys just change things up and start ignoring the language check? Well, they certainly can and maybe even will do that (a recent version of DarkSide analyzed by Mandiant did not perform the system language check).

But doing so increases the risk to their personal safety and fortunes by some non-trivial amount, said Allison Nixon, chief research officer at New York City-based cyber investigations firm Unit221B.

Nixon said because of Russia’s unique legal culture, criminal hackers in that country employ these checks to ensure they are only attacking victims outside of the country.

“This is for their legal protection,” Nixon said. “Installing a Cyrillic keyboard, or changing a specific registry entry to say ‘RU’, and so forth, might be enough to convince malware that you are Russian and off limits. This can technically be used as a ‘vaccine’ against Russian malware.”

Nixon said if enough people do this in large numbers, it may in the short term protect some people, but more importantly in the long term it forces Russian hackers to make a choice: Risk losing legal protections, or risk losing income.

“Essentially, Russian hackers will end up facing the same difficulty that defenders in the West must face — the fact that it is very difficult to tell the difference between a domestic machine and a foreign machine masquerading as a domestic one,” she said.

KrebsOnSecurity asked Nixon’s colleague at Unit221B — founder Lance James — what he thought about the efficacy of another anti-malware approach suggested by Twitter followers who chimed in on last week’s discussion: Adding entries to the Windows registry that specify the system is running as a virtual machine (VM). In a bid to stymie analysis by antivirus and security firms, some malware authors have traditionally configured their malware to quit installing if it detects it is running in a virtual environment.

But James said this prohibition is no longer quite so common, particularly since so many organizations have transitioned to virtual environments for everyday use.

“Being a virtual machine doesn’t stop malware like it used to,” James said. “In fact, a lot of the ransomware we’re seeing now is running on VMs.”

But James says he loves the idea of everyone adding a language from the CIS country list so much he’s produced his own clickable two-line Windows batch script that adds a Russian language reference in the specific Windows registry keys that are checked by malware. The script effectively allows one’s Windows PC to look like it has a Russian keyboard installed without actually downloading the added script libraries from Microsoft.

To install a different keyboard language on a Windows 10 computer the old fashioned way, hit the Windows key and X at the same time, then select Settings, and then select “Time and Language.” Select Language, and then scroll down and you should see an option to install another character set. Pick one, and the language should be installed the next time you reboot. Again, if for some reason you need to toggle between languages, Windows+Spacebar is your friend.


147 thoughts on “Try This One Weird Trick Russian Hackers Hate

  1. shag

    cyka bylat… you have caught on to my evil schemes!!! Darn you scooby doooo!!

    1. comrad kat

      A visit a day from the spetnaz, keeps the domestic hackers at bay.

      1. Yakov Smirnoff

        In Mother Russia you don’t choose keyboard. Keyboard choose you.

  2. comrade kat

    A visit a day from the spetnaz, keeps the domestic hackers at bay.

  3. Zobskis

    I just installed every language pack on windows 10, so I should be safe from malware originating in any country 🙂

    1. DPatriot

      You feel safe until you find out you’ve been hacked.

  4. Gary Law

    This message was posted from a Chromebook…I haven’t used a Windows computer in a very long time. Best decision ever buying a Chromebook.

    1. garhuy

      I dont assimilate with the borg or google

  5. David B

    There are several Russian keyboard layouts in which to choose. Would we need to choose them all?

    1. Me

      I only installed the PYC Russian language pack. The thing that puzzles me is that after installing it I checked for the registry entries that are inserted by James’ .reg file updater and the entries for Russian were not there. I would have expected they would be. Remember, all these language packs are going to take up some disk space. If you only install the Russian it’s probably no big deal, but if you install 14 language packs it might be a waste of disk space. I’m not a Windows expert, so I’m trying to learn more about what James’ reg file updater is supposed to do. I don’t mind adding registry entries for 14 languages, but I’m not going to install 14 languages packs on my computer.

      1. Me

        Ah–correction. The second of the two (2) keys he inserts is in there after all; however the first of the two (2) is not.

  6. Andrew Odri

    I would think that as soon as quick ‘n nasty malware circumvention starts entering the public consciousness (i.e. now) and simple OS language checks get a little more scrutiny in thier local market (and possibly eat into thier profits), they’ll start getting more sophisticated. I’m kinda surprised they don’t just hardcode CIS/CSTO IP blocks and check against that… It would be simple, eliminate the domestic market almost completely, and it would be pretty hard/annoying to spoof or obtain IPs in those ranges as a circumvention measure.

    1. Jonathan Werts

      I doubt this will really catch on. It’s not like Microsoft will start shipping the Russian keyboard set with every PC. If someone is running an operation that’s so far out of date they have to worry about ransomware, they’re probably not paying enough attention to do this either.

      Also, what malware ignores today might be what it targets tomorrow. There is a long history of malicious code specifying OS versions and other details about what they want to attack.

      1. Gerold Manders

        You are under the delusion that a fully patched computer is not vulnerable. Or are under the impression that Windows 10 is so much safer than previous versions of Windows. In a lot of ways Windows 10 has improved on that front, except not nearly enough to go up against RAT’s in combination with crypters (malware that is being processed by crypters before distribution, is almost always not detected by either AV or anti-malware software. Doesn’t matter if you have a paid subsubscription for those or run free ones.

        And when that malware puts the RAT on your system, the RAT will have access to every keystroke you make, access to all files, access to video camera (if available), access to microphone (if available) and full access to the screen too. Computers that are infected this way are called ‘Slaves’ and these “slaves are sold for dimes on the dollar. Saw a YT video where a guy with very little programming knowledge could buy 300 “slaves” for 50 Euro’s worth of Bitcoin. He paid and a day later he sure got what he paid for.

      2. Ana Digi

        The Russian language pack already exists on my PC. Win10 Pro system. Many others available too. Nothing downloaded when I installed it, just a few clicks. Sure, I know they’ll likely find/apply some sort of defeat to it, but it’s nice to find something so simple that’ll make me, at least for a while, just a lilbit safer.

    2. Nico

      “I’m kinda surprised they don’t just hardcode CIS/CSTO IP blocks and check against that”
      What would the use be?
      The external interfaces of the router(s) will have public IPs, but inside, everything will be running with 192.168.x.x. or 10.x.x.x IPs. Unless you are going to run down the the complete tracert path until you get to public IPs from each box, you have no way of knowing what public IP the private IP box is going to eventually run out through. In simple networks, the box hits a default gateway that then goes to an external address, but in complex networks, you may pass through multiple internal networks before heading out–so dumping a box’s default gateway settings won’t tell you anything useful.

      And then you have the scabby ISP’s that don’t really give you a real IP, but spoof the entirety of the 0.0.0.0 space and actually proxy you. Let’s not talk about the madness that happens if your ISP is a 4G/5G radio and not landline.. And then there’s VPN’ing and TOR routers.

      It’s A LOT more complex than you think to determine a box’s location via IP.

      1. JimF

        This was my first thought too, but you can determine effective IP by at least two approaches: 1) a traceroute analysis (TTL-limited ICMP echo), picking the first non- 10.* or 192.168.* address you get back; or 2) the really quick-and-easy where you ask your command/control system to echo back what it thinks your IP address is.
        Neither is perfect — for instance, a multinational may route all internal traffic to a specific netblock, or there may be a VPN; and if you’re using the command/control system then it becomes much easier to innoculate on large scale. Nonetheless, I would expect them would be pretty close to 100% effective at discovering a meaningful netblock.

      2. Frank N. Furter

        Plus, Russian oligarchs and diplomatic officials travel outside CIS very often, and they bring their laptops, I’d bet. Would you risk infecting one of them, when they might be in a hotel in Europe, Asia, or wherever?

    3. Tim

      Most of Russian computers are in the same IP address space as American ones 192.168.X.X and 10.X.X.X
      So, IP range check is no help. There are other localization checks that can be performed. Extra keyboard layout protection will not last long.
      Some legal Russian software products offer free licenses to the users from CIS countries. One of such products asked to enter current day of the week in Russian as a part of the activation procedure. Malware might do something similar.

  7. Jeff B

    On the other hand, perhaps adding another language will make you a target for different malware that you would have otherwise avoided…

    So far, I think the best bang for the buck is to create artifacts that make you look like a malware researcher. E.g. adding a file path or registry entries for wireshark, pdf-parser, volatility, etc…

  8. flycyberguy

    Does Chinese language installation work too? Since China’s a source of a few cyber attacks too

  9. Anonymous

    Is this Windows specific or does it apply to other OSs?

  10. BO3

    Too bad that installing ENG US keyboard will not stop intrusions from the US outlets

  11. Alessio

    Never really thought about that but completely makes sense that they wouldnt want to raise red flags in their country.

  12. Readership1

    Have not been here in a while, because it got too political.

    Not liking the new mobile version; won’t allow desktop view. A ton of scripting and bad font is forced. Blech. No more About link, no contact form.

    I’ll check for a BK reply in a day or two. But not liking the new look at all.

    1. Honestly

      Who. Cares. BK has work to do not babysitting whiny gripes about the layout.

    2. Bit_switcher

      So you ran away when BK said something mean about your favorite reality show host and now you’re back to complain about the font and formatting?
      You whine almost as much as your idol.

  13. dave

    i installed the reg key: gorussian.reg from unit221b, my system crashed and now i cannot log in, does anyone have a fix?
    thank you

  14. c1ue

    Sounds good except I guarantee the attackers will simply check to see what keyboard is active.
    Someone who is installing a “safe” country keyboard will never actually have that keyboard active, so a check which (level 1) sees what keyboard is actually in use will remove that majority of “maskirovka” users.
    A 2nd level check – to see when the keyboard was last changed – would be even more effective.
    And a 3rd check: relative durations of keyboards active would effectively finish off the use of this method.
    No doubt there are plenty of other methods to negate such defenses such as IP locations…

    1. PHP

      Active keyboard changes a lot, especially with those writing in English.
      Not everybody can install russian primary language on a non-licensed Windows.
      But default keyboard could be an option.

      But personally I doubt doing more intensive tricks are worth it. Less than 1% will likely get the russian keyboard

  15. Alex Bodryk

    We entered the era when we have to please cybercriminals to avoid loss. Did we surrendered?

    Most of ransomware cases has RDP bruteforce attack vector which is prevented by common sense and discipline. It looks like IT world does not have discipline any more. It’s pity.

    And if you do what Brian recommended Russian hackers would eventually return to chase you more – they know you’re weak because you surrendered before.

  16. Alex Bodryk

    And if you do what Brian recommended Russian hackers would eventually return to chase you more – they know you’re weak because you surrendered before by installing a keyboard and never using it.

    1. Anonymous

      Ah, so if you’re being punched in the face repeatedly, you shouldn’t duck, because it’s not manly and they might try and punch you again?

      Get real. Russian hackers – hell, any criminals – are coming for you anyway, irrespective of your actions. However, this might slow the Russian ones down.

  17. John

    All this effort worldwide to make Windows PCs safer is like telling someone to avoid abrupt stops while driving a Ford Pinto, which infamously exploded when rear ended, filled with nitroglycerin.

    Companies train employees not to slam on the brakes. So everyone in IT is just servicing these Ford Pintos full with NG instead of giving their users damn Macs, like IBM did when it bought over 200,000 (read the JAMF reports on IBM’s use of Macs).

    The only Mac ransomware I’ve read about comes from installing pirated software. None I’ve read spread to other Macs on a network.

    Humans are fools of habit.

    IT departments generally suck because they’re basically car mechanics trying to keep Ford Pintos packed with NG running.

    Attack surfaces? Windows itself is one big Pinto NG attack surface.

    IBM’s IT seems like the only sane IT dept at a mega corp. They found they only need a small fraction of IT to support Macs compared to PCs, that employee retention is much higher for IBM’s Mac users, and quantified it all, stating each Mac there cost IBM $273-$543 less compared to a Windows PC over 4-year period.

    1. c1ue

      So IBM saved $243 to $544 over 4 years, but paid $500-$1500 more for the computer to start with.
      Doesn’t seem like a win to me…

    2. Youre Kidding

      You’re kidding, right?? Every day the security blogs are filled with reports on new Mac malware & a good portion of it is ransomware.

      My experience with over 30 years of providing IT Tech Support for a large semiconductor company was that providing support for Macs was nearly 10X the cost & effort of both the PCs and Linux workstations.

    3. Bob

      The reason there are fewer malwares attacking Macs is because there are fewer Macs. If you were to build malware for an automobile would you build it for Chevrolet (2M sold/yr in U.S.) or for Fiat (7,000 sold/yr in U.S.)? If Mac ever became mainstream you can bet they would become the focus of most attacks.

  18. markWeld

    Does anyone have any idea whether this hacking group is also behind the Irish Helth System hack that happened here (in Ireland) a few days ago? The hospitals in the whole country have come to a shutdown and can’t operate because of these heartless hackers! Some people might even die because of this… they really have no idea the problems they can cause sometimes.

  19. Hetman

    Wiating for someone educated in geography who will tell Brian that Ukraine is not part of CIS

    1. mealy

      “Ukraine ended its participation in CIS statutory bodies on 19 May 2018” – Unrelated non-gripe, but that’s not geography.

      1. gheorghe

        politically its ended its membership, but there are tons of other connections between all CIS countries – including justice and criminal regulations.

  20. David

    This is an easy fix for many Russian ransomware attacks. However, it is not a fix for all Russian attacks or attacks from other countries. But if someone would like to confirm with data that this also works on Chinese ransomware, I’m all eyes.

    1. gheorghe

      it is not a fix, its mere a lifehack. The best fix would be to switch to GNU/Linux systems. I have never heard of ransomware on GNU/Linux distributions, and I am kind of sure that free software community will find an easy hack to stop any ransomware malware from installing on GNU/Linux systems.

  21. Albert Spork

    “One weird trick”
    How 2019. Or was it 2018?

  22. Conrad

    I installed the “clickable two-line Windows batch script” referenced above, and in some of my PCs, a Russian keyboard was the ONLY kb available at login! (I VNC’d into the PC and I got an English keyboard that way.) I am submitting a fix for the script so that does not happen.

  23. Owen M

    “How to protect yourself from being hacked”: download and run this shell script that you don’t understand…

  24. Bobo

    So, I did not see mentioned in a single news story about the Colonial Pipeline ransomware attack that it was executed on the Windows operating system.If this is true, why in God’s name — or how in God’s name — can any reputable company or government still be running Windows when these vulnerabilities are so common? (Yes, I know the answer: money. But… really?). I still don’t understand how Microsoft has not been sued out of existence for publishing such an apparently defenseless and hackable operating system. Swiss cheese has fewer holes.

    1. Chris Hurley

      Ransomware does not require bugs or even elevated permissions. Anything that the user has access to do (edit or remove files that are important to them), an attack can get them to do in a more malicious way. I built a proof-of-concept malware using PHP that was detected and stopped by almost no endpoint protection. The ones that did stop it were circumvented in about 15 minutes. Some of the sophisticated parts of attacks like killing shadow copies on a Windows computer were defended but the point is that anything a user can do, an attacker can exploit. Thats a pretty big surface area.

  25. Charles Budde

    Try leading with a declarative sentence.

  26. Peter Gates

    Where can I find a virtual Klingon keyboard? I need to protect against them especially.

  27. bill bloggs

    A better way to check where the PC is located is to look at the timezone settings. I suspect nearly every one runs there PC with the timezone set to their current location, even in CIS countries. I also think not many people in the West would want to change their timezone to a CIS country timezone in order to defeat malware either.

Comments are closed.