https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/ Advertisement [10] Advertisement [49] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking Try This One Weird Trick Russian Hackers Hate May 17, 2021 57 Comments In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed -- such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick. [cis] The Commonwealth of Independent States (CIS) more or less matches the exclusion list on an awful lot of malware coming out of Eastern Europe. The Twitter thread came up in a discussion on the ransomware attack against Colonial Pipeline, which earlier this month shut down 5,500 miles of fuel pipe for nearly a week, causing fuel station supply shortages throughout the country and driving up prices. The FBI said the attack was the work of DarkSide, a new-ish ransomware-as-a-service offering that says it targets only large corporations. DarkSide and other Russian-language affiliate moneymaking programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia. This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities. In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country's borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies. Possibly feeling the heat from being referenced in President Biden's Executive Order on cybersecurity this past week, the DarkSide group sought to distance itself from their attack against Colonial Pipeline. In a message posted to its victim shaming blog, DarkSide tried to say it was "apolitical" and that it didn't wish to participate in geopolitics. "Our goal is to make money, and not creating problems for society," the DarkSide criminals wrote last week. "From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future." But here's the thing: Digital extortion gangs like DarkSide take great care to make their entire platforms geopolitical, because their malware is engineered to work only in certain parts of the world. DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) -- former Soviet satellites that all currently have favorable relations with the Kremlin, including Azerbaijan, Belarus, Georgia, Romania, Turkmenistan, Ukraine and Uzbekistan. The full exclusion list in DarkSide (published by Cybereason) is below: [excludelang] Image: Cybereason. Simply put, countless malware strains will check for the presence of one of these languages on the system, and if they're detected the malware will exit and fail to install. [Side note. Many security experts have pointed to connections between the DarkSide and REvil (a.k.a. "Sodinokibi") ransomware groups. REvil was previously known as GandCrab, and one of the many things GandCrab had in common with REvil was that both programs barred affiliates from infecting victims in Syria. As we can see from the chart above, Syria is also exempted from infections by DarkSide ransomware. And DarkSide itself proved their connection to REvil this past week when it announced it was closing up shop after its servers and bitcoin funds were seized.] CAVEAT EMPTOR Will installing one of these languages keep your Windows computer safe from all malware? Absolutely not. There is plenty of malware that doesn't care where in the world you are. And there is no substitute for adopting a defense-in-depth posture, and avoiding risky behaviors online. But is there really a downside to taking this simple, free, prophylactic approach? None that I can see, other than perhaps a sinking feeling of capitulation. The worst that could happen is that you accidentally toggle the language settings and all your menu options are in Russian. If this happens (and the first time it does the experience may be a bit jarring) hit the Windows key and the space bar at the same time; if you have more than one language installed you will see the ability to quickly toggle from one to the other. The little box that pops up when one hits that keyboard combo looks like this: [] Cybercriminals are notoriously responsive to defenses which cut into their profitability, so why wouldn't the bad guys just change things up and start ignoring the language check? Well, they certainly can and maybe even will do that (a recent version of DarkSide analyzed by Mandiant did not perform the system language check). But doing so increases the risk to their personal safety and fortunes by some non-trivial amount, said Allison Nixon, chief research officer at New York City-based cyber investigations firm Unit221B. Nixon said because of Russia's unique legal culture, criminal hackers in that country employ these checks to ensure they are only attacking victims outside of the country. "This is for their legal protection," Nixon said. "Installing a Cyrillic keyboard, or changing a specific registry entry to say 'RU', and so forth, might be enough to convince malware that you are Russian and off limits. This can technically be used as a 'vaccine' against Russian malware." Nixon said if enough people do this in large numbers, it may in the short term protect some people, but more importantly in the long term it forces Russian hackers to make a choice: Risk losing legal protections, or risk losing income. "Essentially, Russian hackers will end up facing the same difficulty that defenders in the West must face -- the fact that it is very difficult to tell the difference between a domestic machine and a foreign machine masquerading as a domestic one," she said. KrebsOnSecurity asked Nixon's colleague at Unit221B -- founder Lance James -- what he thought about the efficacy of another anti-malware approach suggested by Twitter followers who chimed in on last week's discussion: Adding entries to the Windows registry that specify the system is running as a virtual machine (VM). In a bid to stymie analysis by antivirus and security firms, some malware authors have traditionally configured their malware to quit installing if it detects it is running in a virtual environment. But James said this prohibition is no longer quite so common, particularly since so many organizations have transitioned to virtual environments for everyday use. "Being a virtual machine doesn't stop malware like it used to," James said. "In fact, a lot of the ransomware we're seeing now is running on VMs." But James says he loves the idea of everyone adding a language from the CIS country list so much he's produced his own clickable two-line Windows batch script that adds a Russian language reference in the specific Windows registry keys that are checked by malware. The script effectively allows one's Windows PC to look like it has a Russian keyboard installed without actually downloading the added script libraries from Microsoft. To install a different keyboard language on a Windows 10 computer the old fashioned way, hit the Windows key and X at the same time, then select Settings, and then select "Time and Language." Select Language, and then scroll down and you should see an option to install another character set. Pick one, and the language should be installed the next time you reboot. Again, if for some reason you need to toggle between languages, Windows+Spacebar is your friend. This entry was posted on Monday 17th of May 2021 10:14 AM Ransomware Security Tools Allison Nixon Colonial Pipeline ransomware attack Cybereason DarkSide ransomware fbi Lance James Microsoft Windows rEvil Sodinokibi twitter Unit221B [109] Post navigation - DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized 57 thoughts on "Try This One Weird Trick Russian Hackers Hate" 1. Progressive45 May 17, 2021 How about this trick - don't run your business on Windows software. Reply - 1. Myopia May 17, 2021 Cute... but currently not a practical solution. Reply - 1. John May 17, 2021 Care to elaborate? Reply - 1. hutzlibu May 17, 2021 Because maybe and only maybe, there exists an awful lot of business software which is windows only? Reply - 1. David K. May 17, 2021 This old chestnut. I defy anyone to name me some recognizable software that will only run on Windows these days. The only exception to this might be CAD/FEA software, but even AutoCAD has a Mac version these days. If it's something business-specific, developed in-house, then it's likely to be web-based, command-line, or Java, which can be compiled for different platforms. No, Windows continues to exist in big companies because their IT departments can do stupid things like prevent changing the desktop background and the screen lock timeout in the name of "security." Reply - 1. Tony Beeman May 17, 2021 If it's recognizable software, it's, by definition, probably big enough to be ported to most major platforms. It's the unrecognizable software that makes this a big challenge. Most businesses have a lot of custom software, including legacy stuff. As more and more moves to the cloud, this may change, but most businesses still don't find the expense of converting everything to cross plat to be feasible in a cost-effective way, at least short term. Reply - 2. JaaD May 17, 2021 It's not like linux is un hackable. Lot's of ransomware comes from successful fishing attempts. Windows is the popular target because it dominates the market, but if linux became standard there's no reason hackers wouldn't focus their efforts in that direction instead. As long as a user can execute software on their system, this possibility will remain. Especially when, just like with Windows, corporate installations of Linux on desktops would still have lots of systems without the most recent security updates. Linux is more secure, but any appearance of near-invulnerability from end-user installed malware is due to lack of attention from hackers on a minority platform. Reply - 1. Dianne Skoll May 17, 2021 Yes, Linux is "hackable" but switching to Linux is going to put a much higher barrier in place than adding a Cyrillic keyboard to Windows. Reply - 3. eM eS May 17, 2021 Even Autocad... and who's still using Autocad? Even my last employer that still had machines with bubble memory and paper tape readers was using Autodesk Inventor for most mechanical design. Surprise, Inventor is Windows only. The major competition is Solidworks, which is also Windows only. Reply - 4. Bob May 17, 2021 Amiiiigaaaa Reply - 5. Timothy J. McGowan May 17, 2021 Define "recognizable." I'm a court reporter. Software from the half-dozen companies that produce our choice of software packages runs only on Windows. Which is a relief, because it took forever to move from DOS. Stenograph.com leases CaseCATalyst, arguably the best-known, most widely used software. EclipseCAT.com leases Eclipse, a very close second, if not first by these days. GSCLion.com leases StenoCAT. Stenovations.com leases digitalCAT. ProCAT.com leases Winner. There may be at least one more that's not coming to mind. A reporter pays their four to five thousand dollars for a lease plus seven to nine hundred dollars a year for support, and we get to run our software on Windows or not at all. This is cutting-edge, amazing software, definitely not legacy stuff. Nor is it developed in-house. It is indeed business specific, but it's definitely not Web- or Java-based. There are roughly 27,000 stenographic court reporters in the United States. Perhaps that's a business opportunity you can mine by being first to market with 'nix version. Reply - 2. Dianne Skoll May 17, 2021 I ran a (small... 12-person) company for 19 years on Linux. No Windows at all. It was eminently practical and saved us buckets of money. Reply - 2. James May 17, 2021 So you're suggesting that all end users make use of Linux workstations? Reply - 3. Bob May 17, 2021 Because Linux/*nix/Mac OS's/software never get hacked? Reply - 1. Walletinspector May 17, 2021 Compare #'s anytime, you'll find that a strange brag. Reply - 4. n00face_IT May 17, 2021 This has and for always will be the most arrogant statement out there. Small business and specialty shops sometimes don't have a choice, and the "perfect" worldview is just blind. "Find another vendor." Sure, let me retrain, and reprogram every piece of software which would cost us more money over the course of 10 years versus just securing my network. Dumb. Reply - 2. Alex May 17, 2021 Good trick Brian! It's a win win. You either get some level of vaccination or screw over some hacker Reply - 1. jacksonn May 17, 2021 It's not going to keep your pc 100% safe, but it's better than nothing. Reply - 3. Leann Whitney May 17, 2021 Would adding one of these languages on SERVERS which store vital data be enough? Or, would one need to install on all endpoints in order to protect data residing on servers? Reply - 1. Tim May 17, 2021 The ransomware typically executes on the local workstation and encrypts data that is connected via mapped drives. In that case, putting these settings on servers wouldn't have any effect. That being said, the ease with which someone could deploy these keyboards to every Windows machine in an environment seems to make it a win-win to do it to servers and workstations. Reply - 2. rory May 17, 2021 @Leann No offense, but if you're asking this, somebody else needs to handle it. Reply - 1. Michael May 17, 2021 Why is it when people say "no offense" they always go on to say something that is offensive?? Is it just a way to try and make themselves sound less rude than they actually are? Reply - 1. Phil May 17, 2021 Yes Reply - 2. Andy May 17, 2021 rory, You may be right but Leann is reading Krebs and trying to make a difference in the position he's been given. Leann, Implementing this via GPO on everything would be one way to handle it. If you aren't sure deploy everywhere Reply - 1. Leann Whitney May 17, 2021 Thanks for your thoughts Andy. I agree, deploying the registry hack via GPO would be pretty easy. Certainly a worthy stop-gap! Reply - 3. Leann Whitney May 17, 2021 Rory.....I appreciate your "concern". I'm certainly not an information security SME.....but my powers to recognize a jack-ass are quite astute! You might consider keeping your replies productive and/or helpful. Reply - 4. Gnecht May 17, 2021 Spasivo! I have to guess at the keyboard layout, though. Over 14 years ago I had 10 days in Ukraine, and I kinda-sorta remember some of the Cyrillic alphabet. Reply - 5. Kallen Web Design May 17, 2021 Would using the GoRussian.reg file you linked to have any downsides? Could it confuse a system or a user, or error out when the russian keyboard is in the registry but not actually installed? Reply - 6. Dale Chapman May 17, 2021 Spouse asked an interesting question. Would having one of these keyboards installed on your computer make you subject to further NSA scrutiny, and possible placement on a watch list? I intially dismissed this as her extreme paranoia. She suffers from a condition of believing everything on the internet is true, even if there are conflicting reports. Drives me nuts. However as soon as I said it was unlikely, I retracted my comment, because "you just never know anymore". Maybe one of your readers can provide her, and now me, with some reassurance that this would not be the only possible downside. Reply - 1. Brian May 17, 2021 The number of people with Russian keyboards installed in the US would be so large as to be utterly meaningless monitoring metric. Reply - 2. Fidget May 17, 2021 I don't see why it would. That alone isn't a flag for concern any more than installing an Arabic language as there's far far too many legitimate use cases that are a total utter and useless waste of resources. The collection methods are based more on sniffing and pattern matching, you have to remember, they're monitoring literal millions already. Machine filtering is what's going to do the bulk heavy work of sifting the data. Now, if you go talking about something like "flying a Cessna into the Sears Tower on May 9th 2013 at 19:21Z", you'll more likely get flagged, irrelevant of what language. I understand there's the principal of "muh privacy!" and that's a heavily debatable topic of "does it matter" (which I'm not getting into, the answer is extremely individualized), but simply changing the language of your computer isn't going to put you onto a watchlist. That's like taking someone into custody because they live next to a corner store that was robbed; there's just nowhere near a viable amount of reason for suspicion. Let's go with the radical assumption they do. Now they're digging through your web traffic history, and trying to build a profile on you. Well, you visited this page and then within a short time after you added a language to your computer. Nothing else of your history is suspicious, you weren't looking up info of refining uranium, how to make methyl-mercury, how to make explosives, or crazy weird suspicious things (I'm assuming). You have zero connection with known high profile targets. You probably haven't talked to anyone else on a watch list. Now they've wasted resources on a dead end, they're going to dismiss you unless you do some really crazy weird stuff that gets you flagged again. Reply - 3. mealy May 17, 2021 They don't look for pidly sh!t like that at NSA and "decide" to keep tabs on you. Xkeyscore may give you a +1 at most. They don't keep track of all Russians in the world, they keep track of everybody they can see. Being Russian != threat. If you have a specific history or associations or traffic or environment they're interested in, it won't be the language. Either way "they" keep tabs on everything in this ranked criteria way, not just Russians or Chinese or Iranians. I entirely doubt and hope for your sake that your wife is not that interesting to them on any level. Reply - 7. Codin May 17, 2021 I feel I need to correct a few things here. First of all, saying Romania has "favorable" relations with Russia is an overstatement to the fullest, given the recent dignitary expulsion game between the two countries. Secondly, what you're picturing there is the "Romanian(Moldova)" keyboard layout, one specifically for the country known as Moldova, so it would easily infect my one Windows device using "Romanian(Programmers)" keyboard layout, the exclusion solely applies to Moldavians instead. Reply - 1. Not Johnny May 17, 2021 I second what Codin said. I'm glad someone typed it already so I don't have to. Reply - 2. A. May 17, 2021 I was going to say the same. Furthermore, to say that Georgia has a friendly attitude towards Kremlin shows a severe lack of knowledge about recent history (the two countries were briefly at war in 2008, and the present-day relationship between them is still sour). Also, the CIS is not composed of former "Soviet satellites", but of former Soviet republics (i.e. which were part of the USSR). The author of this blog post seems to be quite young and with no memories from before '89. Reply - 8. Ron Schmidt May 17, 2021 What of us running on the Mac OS? Is this relevant? Reply - 1. Bart May 17, 2021 Right. For my family history work, I added keyboard settings on my iMac for a half dozen western European languages. I wonder whether including the other languages mentioned above would help at all? Reply - 9. Steve May 17, 2021 The real Win-Win scenario would be if we could to change the code in the malware and remove the refence to some of the Eastern European countries. Then Russia would have some skin in the game... Reply - 10. Matt May 17, 2021 This is not a "host" of Eastern European countries -- only 3 (and part of Russia) are in Eastern Europe. 8 (and most of Russia) are in Asia. Reply - 11. Jim Wilcoxson May 17, 2021 A truly Russian/CIS system will have only a Russian/CIS keyboard, and in the odd case it does have an English keyboard, that will be listed 2nd. It seems rather trivial to me that Darkside would just check to see if the default keyboard is English or Russian. I guess a decent defense might be to reinstall Windows with the Russian keyboard as default and then add English, but I doubt many English-speaking people could navigate a Windows install in Russian. Reply - 12. Fazal Majid May 17, 2021 They will start using IP geolocation instead, so this only buys a very brief respite. Reply - 13. xmris May 17, 2021 Now that this trick on the lose, I assume those hackers will "update" their malwares to detect the system language of the Windoze.... more safe for their "apps" lol Reply - 14. Paul McCarthy May 17, 2021 I worry about our three electric grids being sabotaged by Russia, N Korea or China, they are biding their time as to when it will happen, not if. We are doing nothing about it. Reply - 1. Texan411 May 17, 2021 Texas is more than capable of destroying its own electric grid without any outside interference except for a winter cold spell (who knew it would get cold in winter?). Reply - 15. orion242 May 17, 2021 "hit the Windows key and the space bar at the same time" Should be win + shift, not space. Reply - 1. BrianKrebs Post authorMay 17, 2021 Just tried your solution and nothing happened. Windows + Spacebar works fine. Reply - 2. Brian Fiori (AKA The Dean) May 17, 2021 Win + shift open the Windows Start menu by default. Reply - 16. Phil May 17, 2021 By that approach cover all the bases and install Russian, Chinese, Korean and Farsi. Now you just have to worry about offensive software which only affects clients where Russian, Chinese, Korean and Farsi are installed. Or employ the more simplistic solution, don't use Windows. Then keep worrying about the fleshy thing between the monitor and keyboard. Reply - 17. jdmurray May 17, 2021 How about Russian Linux/UNIX Malware? Is there such thing and does it use the same check? Reply - 18. Sam May 17, 2021 Hoping for some feedback, I installed the registry hack by Unit221B by double clicking on .reg file with install successful confirmation. I then verified enclosed keys were added to registry. Rebooted machine. However, Windows+shift or +space bar do not invoke pop up/ language toggle as suggested. Am I incorrect in assuming that this toggle should be available due to registry hack only, not actually having Russian language pack installed? Reply - 1. BrianKrebs Post authorMay 17, 2021 No. As it says in the Github entry, if you use the registry hack then "alt+shift" toggles the language setting. https://github.com/Unit221B/Russian Double-click the reg file hit alt-shift to switch from your main keyboard language and russian. Reply - 19. Jim May 17, 2021 Folks should be advised that many of the Microsoft KB advisories for patches or updates mentioned that they will need to be re-installed if additional languages are added. For years many patch advisory documents contained the warning: "Important If you install a language pack after you install this update, you must reinstall this update." So BEWARE that rushing off and adding a language to your Windows systems might have unintended consequences with regards to patches and updates. I'm not sure if security could be compromised, or it will be odd languaged / localization functional issues. Reply - 20. javajag May 17, 2021 Brian, You/we should ask Microsoft to make this part of their patch tuesday updates!! Reply - 21. Robert Scroggins May 17, 2021 Lots of malware will not work if it looks like it is in a virtual machine once installed. The HitmanPro.Alert AV program takes advantage of this, and upon installation, makes the user's computer look like it is a virtual machine. Reply - 22. Bill Royden May 17, 2021 Ukraine hasn't been involved in the CIS since the Maidan coup. Reply - 23. Notme May 17, 2021 So they have to change their code, still fun to think they have been inconvenienced a little. Reply - 24. Dianne Skoll May 17, 2021 Good idea! Then you'll be hacked by the CIA instead. Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] Advertisement [18] Advertisement [110] Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * Try This One Weird Trick Russian Hackers Hate * DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized * Microsoft Patch Tuesday, May 2021 Edition * A Closer Look at the DarkSide Ransomware Gang * Fintech Startup Offers $500 for Payroll Passwords Spam Nation Spam Nation A New York Times Bestseller! All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security