The war in Ukraine has brought a heightened sense of awareness and concern surrounding Russia’s Cyber Operations and activity on the global stage, but this is nothing new for the cyber security industry that has been combating Russia for years. As Ransomware has dramatically increased in recent years, many of the most well-known ransomware campaigns, such as NotPetya in 2017, were directly tied to the Russian government or its state sponsored actors.
As cybersecurity professionals analyzed more and more of these samples several peculiarities about the code base were observed. These oddities in the code appear to be designed to prevent the execution of ransomware if the targeted endpoint is operating in a Russian or Russian aligned territory. One of the most common ways this is manifested is by checking for the presence of a Cyrillic keyboard on the endpoint itself. It is believed that these checks are a barrier so that cyber criminals do not unintentionally impact the citizens, businesses, or governments of the country essentially providing them with asylum. Security researchers, most notably Brian Krebs, were quick to capitalize on this quirk by pointing out that anyone can install a Cyrillic language pack and that this could, as a last line of defense, prevent the execution of ransomware.
Before diving into if this tactic would work as an appropriate preventative measure, it is worth considering exactly how much Ransomware is of Russian origin. Fortunately, the U.S. Government was able to provide exact figures on this. The U.S. Treasury Financial Crimes and Enforcement Network conducted a study of all Ransomware targeting the U.S. or its critical infrastructure for 6 months, January 2021 to June 2021, and determined that 75% of all Ransomware related events were tied to Russia. It should be noted that this sample size may be skewed due to the current political climate and that other governments or businesses not based in the United States may see varying numbers. It is clear though that a significant amount of Ransomware in the world appears to be originating from Russia.
With such a significant percentage of Ransomware being Russian in origin raises an interesting question. Does impersonating a Russian host by downloading a Cyrillic keyboard provide an effective prevention for Ransomware? The short answer to this question is, yes, if the ransomware variant in question contains the code check for Russian language packs or keyboard layouts. The presence of these will prevent its execution. It is imperative to stress that this is not a cure-all for Ransomware prevention and at best will work for a short period of time.
There are many reasons for this but the primary one is that threat actors were already able to achieve code execution on an endpoint, and nothing is preventing them from executing any other payload variant. The second reason is that Ransomware authors will adapt to this tactic being adopted at scale. For example, they could instead look for specific registry keys, of which there are thousands that constantly change with new operating system updates, as opposed to the presence of a keyboard layout or language pack. This change is a trivial modification for malware authors to make. Therefore, adopting a Russian keyboard as a preventative measure is, at best, committing yourself to an arms race where you hope that your organization and assets are not the first target for a slightly modified variant.
So, what should you do to prevent yourself or your organization from being targeted by ransomware? The same best practices that have been discussed for years. A defense in depth strategy involving a robust security posture with multiple layers and an effective backup and restore solution.
A defense in depth strategy involving a robust security posture with multiple layers and an effective backup and restore solution