[HN Gopher] Many ransomware strains will abort if they detect a ...
___________________________________________________________________
Many ransomware strains will abort if they detect a Russian
keyboard installed (2021)
Author : air7
Score : 142 points
Date : 2025-06-29 18:29 UTC (4 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| pogue wrote:
| I wonder if this is still actually the case after Brian Krebs
| announced it to the world in 2021.
| throwaway48476 wrote:
| It has always been this way and will continue to be. Russia
| along with north korea consider ransomware to be legitimate
| economic activity. It's part of their hybrid warfare strategy.
| MangoToupe wrote:
| That doesn't really say much about the specific behavior of
| using a russian keyboard as a signal.
| 0manrho wrote:
| Well yeah, because that's not what the person they were
| replying to was asking about. They were asking a "when"
| question of sorts, tangential to the root topic, not a why.
| antonymoose wrote:
| It is a fail-fast strategy to avoid internal prosecution
| for accidental attacks on fellow citizens.
| NoOn3 wrote:
| I don't think this is done on purpose at the state level in
| Russia or China, It's just that sometimes government don't
| pay attention to those who do it if this is done in relation
| to somehow unfriendly countries. But the US also uses hacking
| for hostile purposes. For example, Stuxnet and some other
| cases. Yes, it's not ransomware, but the difference is not
| that huge. Western-backed countries like Ukraine are also
| doing the same. Anyway Just use Linux and you'll be fine for
| a while.
| ttul wrote:
| If you make your machine look like a malware execution sandbox, a
| lot of malware will terminate to avoid being analyzed. This is
| just part of the cat and mouse game.
| ronsor wrote:
| Put VirtualBox strings in your firmware :)
| tripplyons wrote:
| Yes, and don't forget to install the VirtualBox guest
| extensions in your host machine to make it looks even more
| like a VM!
| thrtythreeforty wrote:
| Is there any downside to unironically doing this? Seems
| like it'd actually work.
| DelaneyM wrote:
| It's not much harder to just harden your system to not be
| vulnerable in the first place, and that protects your
| from a lot more.
| ronsor wrote:
| Please tell me what tools you use to receive future zero-
| day vulnerability patches.
| danielschreber wrote:
| Wikipedia's page on "just intonation" is, oddly, about
| music.
| Melatonic wrote:
| Agreed - like using a non admin account.
| general1726 wrote:
| Time to install Ghidra on every station
| rzzzt wrote:
| It was mentioned in the other front page article, I guess this
| is where we got this submission from:
| https://news.ycombinator.com/item?id=44413185
| Melatonic wrote:
| Most windows servers are virtualised these days so I'm not sure
| this would work anymore. It might look at other indicators
| though
| thaumasiotes wrote:
| > If you make your machine look like a malware execution
| sandbox, a lot of malware will terminate to avoid being
| analyzed. This is just part of the cat and mouse game.
|
| What? This is an _entirely separate concern_. If you have a
| Russian input method installed, malware will terminate to avoid
| legal repercussions.
| gmargari wrote:
| 2021
| e_y_ wrote:
| I wonder if Ukraine has been removed from the exclusion list
| since then. A quick Google search says that the keyboards
| layouts are different from Russian keyboards.
| Melatonic wrote:
| I was thinking the same thing.
|
| Seems like the safest would be standard Russian keyboard
| layout (or maybe just adding the reg keys mentioned)
|
| Also makes me wonder if installing a specific Chinese
| keyboard could have the same effect (for Chinese made
| ransomware or maybe even North Korean). Or perhaps they do
| other checks ?
| bozhark wrote:
| Could check month/date/time formats
| Melatonic wrote:
| Wouldn't that exclude a ton of countries though ? Russia
| covers a lot of time zones.
| Melatonic wrote:
| The best anti malware on any version of windows has always been
| to make your default account you use everyday a non admin
| account.
|
| You also need to create a separate account (can just be a local
| account) that is a full administrator. Make sure you use a
| different password.
|
| Anytime you need to install something or run powershell/CMD as
| admin it will popup and ask for the separate login of the admin
| account. This is basically the default of how Linux works (sudo).
| It's also how any competent professional IT department will run
| windows.
|
| If an admin elevation popup happens when you haven't triggered it
| then you probably know something is wrong. And most malware will
| not be able to install.
|
| Another benefit is that you can use a relatively normal (but
| obviously not too short) password for your regular account and
| then have something much more complicated for the admin login.
| This is especially great on something like "Grandmas PC" or
| anyone who is at higher risk of clicking on the wrong thing.
| Phurist wrote:
| Or you know... just use Linux
| jay_kyburz wrote:
| I've got a snap installed, I think it's for the google
| command line tools. It will quite often at random times pop
| up a window in KDE asking for the admin password, and there
| is nothing in that window that tells me what or why the admin
| password is needed.
|
| Decided it was a risk to just be typing the admin password
| whenever a random popup asked me to, so disabled all snap
| automatic updates.
| floundy wrote:
| Every couple of years I give daily driving Linux a try. I
| still find that old joke about "Linux is only free if your
| time is worth nothing" to be quite apt.
| sdoering wrote:
| I switched to Ubuntu "skinned" with Omakub a few months
| ago. Never looked back. Work with Windows on my work
| machine and use my *nix box as my daily dev driver and
| machine for surfing the net, doing emails and documents. I
| actually use it for nearly everything except vector
| graphics/dtp & images, as I am still too used to the
| affinity suite.
|
| Will try out Omarchy just for the fun of it - not that I
| expect it to become my daily driver.
|
| But - depending on your needs - I think Linux can be on par
| (for me it is way better, longer battery life, better
| configuration, better tools, smoother workflows, but YMMV).
| pkulak wrote:
| Do you mind elaborating a bit on what went wrong? Like,
| were you installing on a recent MacBook, or something else
| not well supported? In my experience, installing and
| running a popular distro is absolute cake. Easier than
| Windows, even, since you aren't forced to create cloud
| accounts and answer a million privacy questions; you
| basically install then boot right into your new desktop.
| floundy wrote:
| Used it on various devices. A Dell laptop (with power
| switching between dedicated and iGPU, what a nightmare
| that was for Linux display drivers), a desktop I built
| myself, a Raspberry Pi running RPi OS.
|
| I find most things fine in Linux and I'm fairly
| comfortable with the terminal. However it's the 10% or so
| of things that are very cumbersome in Linux but instant
| in Windows/Mac that drive me away.
|
| Example: There is no Google Drive client for Linux. Spend
| an hour dorking around in rclone and get it set up and
| working with bidirectional sync. The token still expires
| weekly and needs to be renewed. Yeah, I get a potential
| solution is "don't use Google Drive" but the little
| projects to get my current workflow functioning on Linux,
| or change my workflow to fit Linux's constraints, end up
| adding up into a bunch of wasted time.
| tokai wrote:
| >There is no Google Drive client for Linux
|
| What? Google accounts have been a thing in Gnome for
| years. You have Google Drive access right in Nautilus.
| floundy wrote:
| Not for ARM.
| ekianjo wrote:
| If you use a distro built on GNOME, ARM or not does not
| matter
| tokai wrote:
| Almost all distros have an ARM version. KDE can also
| handle online services such as google drive. There are
| also a couple of other projects to deal with it if you
| don't like KDE or Gnome. What you claim is trivially
| untrue.
| zahlman wrote:
| Have you tried just using it in browser?
| NoOn3 wrote:
| But if this is your first time using Windows or Mac, you
| will also need time to get used to it. I've tried using a
| Mac, and so far I'm not used to it. :)
| fredfish wrote:
| Every few years someone forces me to use Windows and I find
| that my data is apparently worth nothing since it being one
| giant anti-pattern wastes my time.
| floundy wrote:
| I agree, I switched to Mac last fall with the incessant
| Windows 10 popups that my CPU is not supported and I
| can't upgrade to Windows 11, so buy a new PC chump or
| you'll be EOL! Okay, I bought a new PC Mr. Nadella, it
| just doesn't run Windows.
|
| That ended up being the last straw in a long line of
| complaints with data privacy and things being forced on
| me in Windows. Somehow that stupid Bing toolbar would
| constantly re-enable itself and re-appear on my desktop
| after every update despite being disabled everywhere I
| could find a setting for...
| fredfish wrote:
| I wasn't very happy with Apple's bizarre UI or out of
| date libraries.
|
| The easiest way to make an OS with ideal support on one
| platform is to only support Apple's hardware instead of
| the PC cosmos, so I will be interested if Asahi getting
| the relatively little resources it needs will gradually
| make it the least waste of time choice to use Linux on
| Apple hardware.
| Taek wrote:
| I don't find it to be that way at all. I've used Debian as
| my daily driver for almost 10 years and I spend maybe... 30
| minutes per year dealing with setup and configuration and
| stuff?
|
| Much less than I needed to back when I mainly used Windows.
|
| Sure, there's a learning curve. But Windows has a learning
| curve too, you just already climbed that hill.
| II2II wrote:
| Judging from the rest of the thread, they were referring
| to setup and configuration. For the most part, I consider
| this to be one of the strengths of Linux.
|
| On the other hand, the operating system is the means
| rather than the end to most people. If a person is
| transitioning from Windows to Linux, they will probably
| have a substantial number of new programs to learn in the
| process. That is going to factor into most people's
| impressions of the operating system as a whole.
| II2II wrote:
| I don't know what your use case is, so what I'm about to
| say may not be relevant.
|
| When you're making the transition from one operating system
| to another, there is going to be an investment of time. It
| doesn't matter whether you are moving from Windows to Linux
| or from Linux to Windows. When it comes to getting things
| done, each operating system is going to have its own
| strengths and weaknesses. Our attention is going to be
| drawn towards the weaknesses of what we are trying out
| because that is what we are going to spend the most time
| addressing. Our attention is going to drift away from the
| weaknesses of what we are familiar with since we have long
| since learned to circumvent or ignore them.
|
| What I am suggesting is that I would spend as much time
| learning how to daily drive Windows as you would learning
| how to daily drive Linux. Unfortunately, I cannot draw upon
| quips like "Windows is only free if your time is worth
| nothing" since Windows is not free. I have a copy of
| Windows 11 Professional that cost significantly more than
| any given component of the computer it runs on.
| pogue wrote:
| I would recommend giving Linux Mint a try. It's very newbie
| friendly with a desktop like environment of Windows,
| automatic backup creation, and a store to install pretty
| much any software you need from. I got my elderly parents
| to try it & they were both able to figure it out quite
| quickly!
|
| I also hear good things about ZorinOS as it's built as a
| full fledged Windows alternative with built-in WINE to run
| native Windows apps in
|
| You can play with them both at this link without having to
| install anything:
|
| https://distrosea.com/
| EvanAnderson wrote:
| There's nothing magical about the Linux security
| architecture, when it comes to malware, aside from abysmal
| Linux market share. If it were popular it would be targeted.
|
| That's not to say there's no value. It's a case of security
| by obscurity, at best. The Unix security model is much more
| simplistic than Windows NT. Everybody disables SELinux so
| there's no meaningful capabilities functionality.
|
| Assuming you actually do run malware, all your user account's
| data on a Linux machine ends up being just as vulnerable to
| exfil or ransom as if you're running Windows as a limited
| user.
| gerdesj wrote:
| "Everybody disables SELinux"
|
| That implies you are probably using a RH jobbie. With no
| working whatsover, I assert that many more Linux desktops
| will be rocking apparmor or no kernel security module.
|
| Oh and no I don't disable SELinux, except as a quick check
| to see if that is what is causing issues. Obviously I'm not
| everyone, but I am someone.
| EvanAnderson wrote:
| I haven't used desktop Linux in a number of years, but
| back when I did I'd see disabling SELinux as a common
| recommendation. I hope things are getting better.
|
| On the Linux application hosting front the majority of
| vendor-supported garbage I have the displeasure of
| supporting that runs outside of Docker disables SELinux
| as a matter of course.
| johanneskanybal wrote:
| Right tool for the job. Linux for deploying stuff to, Linux
| or mac for working on the stuff you'll deploy. Windows for
| games and everyday use. They're all superior in their
| category and it's too obvious to spend time arguing about.
| cynicalsecurity wrote:
| You don't need Windows for games since ages. Steam games
| run on Linux.
| ekianjo wrote:
| You can game on Linux for many years now. Windows is mostly
| mandatory if you play multiplayer games with anticheat
| charcircuit wrote:
| Linux ransomware does not require root.
| cortesoft wrote:
| There are many reasons someone might have to use Windows. I
| have a Windows box because a number of games I play don't
| support Linux, even with WINE and Proton.
| KronisLV wrote:
| I found that ProtonDB is quite helpful in figuring out how
| many games will or won't run well:
| https://www.protondb.com/
|
| You can even log in with Steam and get the summary for your
| exact library, for anyone curious.
| NexRebular wrote:
| > Or you know... just use Linux
|
| ...where namespaces provide excellent technology for hiding
| malware making linux one of the best platforms to turn into a
| evil host.
| noisem4ker wrote:
| It sounds like you just described what User Account Control
| (UAC) has been doing since Windows Vista (2006).
| EvanAnderson wrote:
| There are UAC bypasses. Microsoft has repeatedly stated that
| UAC isn't actually a security boundary. It's better to run a
| daily driver account as a limited user and only elevate when
| you overtly need it. (It's even better to use a separate
| login, as opposed to "Run As...)
| Lwerewolf wrote:
| Aren't most UAC bypasses relying on the fact that UAC by
| default isn't "full sudo"mode - i.e. it allows certain
| things without prompting?
| Melatonic wrote:
| Exactly - UAC is like a poor man's Sudo and I never really
| got the point of it. There is a reason so many people tried
| to disable it.
|
| Daily driver as limited user should be the windows default
| even if it makes use ability more confusing.
| EvanAnderson wrote:
| > The best anti malware on any version of windows has always
| been to make your default account you use everyday a non admin
| account.
|
| In the early 2000s up thru about 2012 I'd agree with you. Post-
| Vista malware adapted to UAC and now all malware works well as
| a normal user. Any data your normal user can access (local or
| on a remote CIFS server) is fair game for ransomware. Limiting
| administrator rights doesn't do anything to prevent the malware
| from getting at your data.
|
| Persistence has moved to per-user, non-Administrator, too. Of
| course, all the various quasi-malicious customized versions of
| Chrome that end users inevitably install when they go searching
| for software to end-run their IT departments operates the same
| way.
|
| I do think your daily driver Windows users shouldn't have
| administrator rights. It just isn't going to help much with
| malware.
|
| I use physically separate boxes for my most sensitive
| activities (banking, mainly) but you could do nearly as well
| having separate non-admin Windows logons and compartmentalize
| your access to data you don't want ransomed. Isolation between
| different user accounts on Windows is actually fairly good.
| Just limit the common data the accounts can access.
|
| Personally I've always wanted to use Qubes (and stop using
| physically separate machines) but I haven't taken them time to
| learn their contrivances.
|
| Edit: I should have said "quasi-malicious customized versions
| of Chromium", not Chrome.
| pogue wrote:
| What are these "quasi-malicious customized versions of
| Chrome" you're referring to?
| dfedbeef wrote:
| Edge? (joking)
| Melatonic wrote:
| Confused by that as well - what version of chrome can be
| installed without admin?
| EvanAnderson wrote:
| It cannot. There are malicious third parties who have
| made distributions of Chromium that are fully functional
| browsers, installing in the user's AppData folder w/o
| Administrator rights, that have additional
| "functionality" like exfiltrating browsing history or
| displaying extra t
|
| This is really what any Electron-based app is. It's just
| Chromium running out of the AppData folder. There's a
| whole ecosystem of "shadow IT" software that installs out
| of the AppData folder, meant to end-run IT and central
| control, that functions great w/o Administrator rights.
| EvanAnderson wrote:
| Edit: I should have said "Chromium", not Chrome. They are
| repackages of Chromium, usually with functionality to send
| browsing activity to a third party.
|
| "Wave Browser" is the common one that comes to mind
| immediately. I have several flagged in the "endpoint
| security" software I support, though.
|
| The workflow is: (1) User wants some software functionality
| they don't have, (2) they search-engine using keywords like
| "convert Word to PDF", (3) they find a program that
| promises to do the thing they want, (4) they download it
| and click thru any warnings because they "want the thing",
| and (5) they end up with persistent per-user malware
| installed in their "AppData" folder.
| Melatonic wrote:
| It will help stop the spread quite a bit however (even if it
| can access user local data). There's a reason escalation path
| attacks are still the gold standard (start small and move
| up).
|
| You can also run something like applocker and whitelist all
| the apps you use.
|
| Also instead of separate physical boxes why not just use a VM
| ?
| EvanAnderson wrote:
| > It will help stop the spread quite a bit however (even if
| it can access user local data).
|
| User's should be running limited user accounts for daily-
| driver Windows machines.
|
| Having said that, today's attacks are all about the data.
| It's all about exfil/ransomware/blackmail because there's
| money to be had there. On an individual home user PC
| there's no lateral movement or bigger targets to attack.
|
| I hate to invoke xkcd, but it's true:
| https://xkcd.com/1200/
|
| > You can also run something like applocker and whitelist
| all the apps you use.
|
| That's a bit overkill for a personal machine and it won't
| be licensed for AppLocker anyway.
|
| AppLocker is also a gigantic pain-in-the-ass on corporate
| machines. My experience with configuring AppLocker for
| anything other than very task-specific computers is that
| it's a huge and unending ordeal of whitelisting, trying
| again, whitelisting more, trying again. Wash, rinse, get
| complaints from end users, repeat.
|
| > Also instead of separate physical boxes why not just use
| a VM ?
|
| Pragmatism. I have a bunch of extra low-spec laptops laying
| around. My machines are, for the most part, cast-off
| Customer garbage. I haven't actually spent money on
| reasonable machine since about 2015. >smile<
| Aachen wrote:
| https://xkcd.com/1200/
|
| It feels bad to post a link-only response but I really don't
| have anything to add to it. On a system used by multiple
| persons, sure, you help prevent that a compromise on sister's
| account immediately impacts mom's and dad's accounts, but that
| qualification isn't in the comment and probably most computers
| that HN readers use are single user. Or on a server, dropping
| privileges speaks for itself. But if you're on a desktop and
| you do online banking in your browser and also open email
| attachments on that computer... Not being admin would only help
| clean up the situation without needing to make a live boot
| (namely, you could theoretically trust the admin user and
| switch to that) but this isn't recommended practice anyway if
| you're not a malware specialist and can make sure it is fully
| gone. I cannot think of any situation where a single user
| desktop system benefits from admin privilege separation
|
| So basically, what the comic conveys
|
| > The best anti malware
|
| Not being admin doesn't prevent malware from running and
| gaining persistence within your user account...
| seb1204 wrote:
| So the mum or grandpa should also use an admin account to
| execute the file they just downloaded?
| Melatonic wrote:
| Most malware I've commonly seen on individuals computers
| (like the grandma example) comes about when they want to
| install something and use and installer that has it bundled
| with legit software. Or they visit a site that's a shady copy
| of a legit one.
| zahlman wrote:
| > If an admin elevation popup happens when you haven't
| triggered it then you probably know something is wrong. And
| most malware will not be able to install.
|
| Malware can still do a lot without "installation". Running as
| an unprivileged user, it can still do anything to/with the
| filesystem that the user would be able to do, and will (on most
| normal setups) be able to make outbound Internet connections
| without limitation. In short, these kinds of privileges don't
| protect against data exfiltration, ransomware operating on the
| user's important data files, simple vandalism....
| Melatonic wrote:
| This is true but defense is a multi layered approach and even
| the built in Microsoft stuff (like Defender AV) have
| massively improved.
|
| I would argue most malware comes down to uneducated users
| doing the wrong thing - but that's a whole different can of
| worms :-)
| exiguus wrote:
| Usually, private individuals are not the target of ransomware
| attacks by organized criminals. Companies often have to pay a
| lot more money to get their data back. The Petya ransomware is
| a good example of this.
|
| Nevertheless, when you are on any machine as an intruder and
| have normal user rights, you can still actively search the
| machine and network for admin accounts and steal sessions. The
| ultimate goal is to gain Domain Admin rights.
|
| Besides that, it is not necessary to have admin rights to
| delete and encrypt data or to run and hide software.
|
| There are also many ways, besides stealing sessions, to gain
| admin rights, such as through unpatched software, inappropriate
| user rights, zero-day exploits, and social engineering.
|
| A common way to get users to install malware or ransomware is
| to bundle it with useful software that the user wants to
| install.
| eestrada wrote:
| The best anti malware on any version of windows has always been
| to not run windows.
| kevingadd wrote:
| Unfortunately a lot of modern software triggers UAC popups now.
| Games (for anticheat and/or network connectivity), development
| tools (for network connectivity or debugging), updaters for
| stuff that live-updates like Electron apps, etc.
| charcircuit wrote:
| I would find the why more interesting. Is there a common library
| virtually all ransomware uses? Are virtually all ransomware copy
| pastes of each other? Is there a popular forum post detailing the
| trick?
| chisleu wrote:
| There are lots of malware families. Russian hackers, scammers,
| and such are basically celebrated in Russia for attacking the
| west. But they get in big trouble if they screw anything up
| inside Russia. Hence, the "safety mechanism" here.
| charcircuit wrote:
| Yes, but this is a specific safety mechanism, why this is
| over others?
| KnuthIsGod wrote:
| The presence of a Russian keyboard makes it attractive to NSA
| malware..
| exiguus wrote:
| There is evidence that this will worked for ransomware like Patya
| and for groups like Fancy Bear or Cozy Bear and Conti. Mostly
| because the Russia gov. unofficial guaranties immunity if the
| target is not Russian. Also, if you identify as Russian or write
| Russian in the chats or mails to them, they will de-crypt your
| systems for free.
| userbinator wrote:
| _Also, if you identify as Russian or write Russian in the chats
| or mails to them, they will de-crypt your systems for free._
|
| I wonder how that works in this era of AI translation.
|
| Not quite the same but I remember there was a Russian shareware
| author who gave free licenses to Russians.
| ivan_gammel wrote:
| > I wonder how that works in this era of AI translation
|
| Simple translation isn't enough to show cultural proximity.
| Patterns of speech are different. You can try to use AI to do
| the entire conversation, but e.g. Claude will refuse to give
| you exact phrases, since he is correctly assuming it is a
| social engineering attack.
| lelele wrote:
| Do you mean that one can't use AI to learn a foreign
| language in its everyday form?
| atemerev wrote:
| It's not that simple, I think. There are many Russians
| everywhere, and probably they work at victim companies too, so
| just being Russian won't be enough, if ransom could be in the
| millions. You'll have to convince them that the company is
| Russian-owned, or that your father works in FSB, or whatever.
| I_am_tiberius wrote:
| I'd be surprised if there isn't malware that targets specifically
| systems with cyrillic keyboard enabled.
| Razengan wrote:
| I KNEW keeping a Russian keyboard to type ( ;'D`) would have
| practical uses!
___________________________________________________________________
(page generated 2025-06-29 23:00 UTC)