A Ridiculously Simple Defense Against Russian Malware

Disastrous Russian malware attacks on major American corporations and local, state, and federal government agencies are becoming a deeply discomforting and disturbingly regular and frequent occurrence. 

Just recently, a ransomware attack on Colonial Oil by the Russian-speaking cybercriminal gang, Darkside, brought the 5,500 miles of fuel pipeline and 45% of the gasoline consumed by the East Coast to a screeching halt for nearly a week. Panic buying resulted in the draining of more than 17,000 gas stations throughout the Southeast, causing the national average price for a gallon of gas to reach the highest it’s been in six years. 

Less than two weeks prior, the sixth-largest American municipal police department, the Washington D.C. Metropolitan Police, announced its computer servers had been hacked by a “Russian-speaking ransomware syndicate,” the Babuk group. 

Citing unnamed sources, many national media outlets have reported that Colonial Oil paid millions of dollars in ransom to have its networks ultimately freed from cybercriminal’s grip. Colonial Oil has not confirmed these reports. However, if true, the implications are that even America’s most financially powerful companies and major law enforcement agencies are embarrassingly powerless to cybercriminals. 

By all indications, the U.S. as a whole is lagging when it comes to cyber defense. Yet, renowned cybersecurity investigative journalist Brian Krebs recently shared a free and ridiculously simple “pro-tip” for defending against Russian malware. 

According to Krebs, simply installing a Russian or Ukrainian language virtual keyboard on your computer can instantly trigger built-in fail-safes that prevent Russian malware from being installed on a computer system. 

Not claiming to be an all-encompassing cyber defense, in a blog post, Krebs explained, “virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian.” 

Russian Malware

BACKGROUND: THE PIRATE CODE OF RUSSIAN MALWARE 

The primary method used in virtually all recent major cyberattacks has been relatively straightforward. Hackers use fraudulent or “spoofed” messages, typically an email, designed to trick a victim into clicking on a link that covertly installs ransomware. The malicious software can then bypass standard computer authentication or encryption processes, allowing hackers to take over a computer network or exfiltrate data to a remote command-and-control server. 

When reporting on the “Solarwinds Hack” in late-2020, The Debrief noted nearly a quarter of all state-sponsored cyber-attacks in 2020 were perpetrated by Russian-backed Advanced Persistent Threat (APT) groups. Additionally, the vast majority of ransomware attacks against the U.S. and West are conducted by cybercriminal gangs operating from Russia or the Russian-speaking Commonwealth of Independent States. 

The reason for the majority geographical consistency in ransomware hacks is economical, rather than ideological or geopolitical. 

In Russia and most former Soviet republic-states, law enforcement authorities will rarely investigate cybercrimes committed outside their borders or against foreign non-allied nations. By only targeting American or Western countries, these Russian malware gangs ensure they can operate with near-impunity and, by unspoken doctrine, are essentially encouraged by domestic officials to commit cybercrimes. 

Additionally, many of these Russian malware groups are also co-opted by Russia’s intelligence services. As The Debrief also reported, collectives like the Babuk group not only get rich by collecting ransoms from trapped victims but they also provide a great service to Russia’s Federal Security Service (FSB) and Foreign Intelligence Service (SVR) by potentially handing over unimaginable hordes of information on American citizens stolen in cyberattacks. 

“Russian-language affiliate money-making programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia,” noted Krebs. “This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities.” 

According to Krebs, this universal unwritten prohibition against targeting their fellow citizens is also precisely why installing a Russian language virtual keyboard on your computer serves as a weird but straightforward cyber defense. 

 

ANALYSIS: WHY INSTALLING A RUSSIAN LANGUAGE KEYBOARD PROVIDES A LAYER DEFENSE AGAINST RUSSIAN MALWARE 

Krebs explains, to maintain operations and stay off local authority’s radar, Russian malware groups and digital extortion gangs specifically tailor their malicious software to only work in certain parts of the world. 

“Darkside, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that all currently have favorable relations with the Kremlin, including Azerbaijan, Belarus, Georgia, Romania, Turkmenistan, Ukraine and Uzbekistan,” said Krebs. 

To prevent inadvertently being downloaded on a prohibited nation’s computers, Russian malware strains will check for the presence of languages from off-limits regions. If detected, the malware will effectively flip a kill-switch and fail to install. 

An exclusion list provided by cybersecurity firm, Cyberreason, found that the DarkSide malware that shut down Colonial Oil would have failed to download had the malicious software detected one of seventeen different languages, including Russian, Ukrainian, Belarusian, or Arabic (Syrian). 

Russian Malware
The full exclusion list in DarkSide (Image Source: Cybereason)

 

By simply downloading a Russian language keyboard setting or masquerading as a domestic Russian computer, Krebs says it can increase the chances of triggering the embedded failsafe, causing the malware to remove itself. 

“This is for their legal protection,” explained Allison Nixon, chief research officer at New York City-based cyber investigations firm Unit22iB. “Installing a Cyrillic keyboard, or changing a specific registry entry to say ‘RU’, and so forth, might be enough to convince malware that you are Russian and off-limits. This can technically be used as a ‘vaccine’ against Russian malware.”

 

OUTCOME: NOT AN ALL-ENCOMPASSING DEFENSE, BUT RIDICULOUSLY SIMPLE AND FREE

Krebs cautions that downloading a new virtual keyboard on a computer should not be considered a robust and all-encompassing cyber defense. He notes that “Cybercriminals are notoriously responsive to defenses which cut into their profitability,” and so Russian malware groups could quickly come up with new approaches that don’t perform language checks. Krebs also pointed out that a recent version of DarkSide analyzed by Mandiant did not perform the system language check. 

“There is plenty of malware that doesn’t care where in the world you are. And there is no substitute for adopting a defense-in-depth posture, and avoiding risky behaviors online,” Krebs writes. 

Nevertheless, adding a virtual keyboard can offer an extra layer of security that is simple, free, and lacks any real drawback. “The worst that could happen is that you accidentally toggle the language settings and all your menu options are in Russian,” said Krebs. “If this happens (and the first time it does, the experience may be a bit jarring) hit the Windows key and the space bar at the same time; if you have more than one language installed, you will see the ability to quickly toggle from one to the other.” 

The only downside Krebs notes in his blog could be “a sinking feeling of capitulation.” 

To this point, by installing a different language on your computer, at best, you’ve just provided an easy defense against Russian malware. At worst, you’ve made cybercriminals have to work to come up with a new way to avoid domestic scrutiny while still committing their digital crimes. 

Either way, both honestly sound like wins rather than defeats. 

To install a different keyboard language on a Windows 10 computer, one merely needs to go into Settings, select “Time and Language,” and then select to install another language character set on the computer. 

Follow and connect with author Tim McMillan on Twitter: @LtTimMcMillan


Don’t forget to follow us on Twitter, Facebook, and Instagram, to weigh in and share your thoughts. You can also get all the latest  news and exciting feature content from The Debrief on Flipboard, and Pinterest. And subscribe to The Debrief YouTube Channel to check out all of The Debrief’s exciting original shows: The Official Debrief Podcast with Michael MataluniDEBRIEFED: Digging Deeper with Cristina GomezRebelliously Curious with Chrissy Newton