Sometimes, security is all about identifying basic concepts and making them work to your advantage. Taking a moment to step back and look at the bigger picture is always a sane approach. Companies spend hefty amounts in deploying advanced security tools, employee training, patching, and backup programs, but what if cybersecurity risks could be greatly mitigated by simply adding a Russian keyboard layout on your Windows OS?
We have seen this language-based infection exclusion manifesting in almost any piece of malware that originates or is deployed by Russian hacking groups, so it is a valid assumption. As Brian Krebs points out, this applies to the most dangerous ransomware strains out there, including DarkSide, which appears to exclude computers that use the Russian, Azerbaijani, Uzbek, Tatar, Georgian, Ukrainian, Belarusian, Tajik, Kyrgyz, Armenian, and Turkmen languages.
The same applies for REvil, which followed in the footsteps of GandCrab on that matter, so we can safely say that adding the Russian keyboard layout on your machine could significantly lower the chances of having to deal with a nasty ransomware infection. Sure, it would make you feel like you’re succumbing to those actors, but that’s a much better price to pay than millions in ransom, operational disruption, negative publicity, legal trouble, and more.
Of course, not all malware comes with these particular exclusions, so this is not a “jack of all trades” trick. And if more victims start adopting this little trick, actors will certainly scrap the language check from their malware. Or maybe they could employ a different check that still excludes CIS countries, although that would introduce unwanted complexity.
An example of this ability of malware authors to adjust to the defense mechanisms is the fact that virtually all of them now run in sandbox environments. Previously, malware wouldn’t run if it detected signs of running inside a virtual machine in order to avoid analysis. After defenders took note and added fake “VM flags” on Windows, malware authors responded by lifting all restrictions and just letting the malicious software run everywhere.
So, is it worth it to add the Russian keyboard on all the machines of your company or organization? Right now, it certainly wouldn’t hurt if your pride can take it.