Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security IT

Try This One Weird Trick Russian Hackers Hate (krebsonsecurity.com) 78

Posted by msmash from the closer-look dept.
Brian Krebs: In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed -- such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick. The Twitter thread came up in a discussion on the ransomware attack against Colonial Pipeline, which earlier this month shut down 5,500 miles of fuel pipe for nearly a week, causing fuel station supply shortages throughout the country and driving up prices. The FBI said the attack was the work of DarkSide, a new-ish ransomware-as-a-service offering that says it targets only large corporations.

DarkSide and other Russian-language affiliate moneymaking programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia. This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities. In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country's borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies. [...] Here's the thing: Digital extortion gangs like DarkSide take great care to make their entire platforms geopolitical, because their malware is engineered to work only in certain parts of the world.
This discussion has been archived. No new comments can be posted.

Try This One Weird Trick Russian Hackers Hate More

Try This One Weird Trick Russian Hackers Hate

Comments Filter:

  • Advert? (Score:4, Funny)

    by itiswhatitiwijgalt ( 6848512 ) on Tuesday May 18, 2021 @11:02AM (#61396436)
    Why does this sound like one of those spammy adverts you see on CNN's website. It even rhymes.

    "Try This One Weird Trick Russian Hackers Hate"
    "Try This One Trick Doctors Hate to Quickly Loose Weight"

    • First thing I noticed as well. how that got you a -1 i'll have no idea.

      • Re: (Score:2)

        by aitikin ( 909209 )

        itiswhatitiwijgalt's karma is such that every post starts at "-1". This post didn't earn them a -1, they started there due to their other posts...

    • Re:Advert? (Score:5, Insightful)

      by NateFromMich ( 6359610 ) on Tuesday May 18, 2021 @11:11AM (#61396496)

      Why does this sound like one of those spammy adverts you see on CNN's website. It even rhymes. "Try This One Weird Trick Russian Hackers Hate" "Try This One Trick Doctors Hate to Quickly Loose Weight"

      Because they were trying to be funny.

      I guess you weren't in the mood.

    • +1 Funny

    • Agreed, it could had been, adding a Russian Virtual Keyboard can stop a lot of ransomware.
      or Ransomeware will not run on PC with Russian Virtual Keyboards.

      Slashdot isn't getting paid for us to clink the link, so just let us know right away, and give more detail in the summary, and for full detail read the article.

      • Re: (Score:2)

        by ghoul ( 157158 )
        Unless this is really a way to get us to install Russian keyboards which themselves are the ransomware. You want your english keyboard back, pay up.

    • Re: (Score:2)

      by mad7777 ( 946676 )
      Right.... but I think (hope) that was intentional headline humor.

    • Re:Advert? (Score:5, Funny)

      by Applehu Akbar ( 2968043 ) on Tuesday May 18, 2021 @12:22PM (#61396852)

      Apparently there's no Whoosh character on your keyboard.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Tuesday May 18, 2021 @12:45PM (#61396970)
      Comment removed based on user account deletion

      • people have to be told not just that something's intended to be funny, but that they're meant to laugh at it.

        There is a name for this disorder. It is called Humor Impairment [chicagotribune.com].

        • Also: humour is cultural. Can even change with the times. Or there are situations where some people laugh out of embarrassment, were in another culture one would cry.

    • Did you hear a whooshing sound just now?

    • Re: (Score:3)

      by hawk ( 1151 )

      advertisements?

      CNN and practically all other sites across the spectrum have gone to that for what they try to pass as "news" . . .

      "This state {verb}{adverb}. . . "
      "This state has the most {adjective}{noun} "
      "{noun} gets {adjective} with this"

      Generally, they're trying to generate a click for a single piece of information that would have fit entirely in the headline.

      Or

      "{idiot celebrity}'s hack for {dumb action|vain adjective}"

    • "Try This One Trick Doctors Hate to Quickly Loose Weight"

      "Discover The One Word That Causes Nerds To Loose Their Ability To Spell Properly"

    • Whoooosh! Sound of joke going over your head

    • Re: (Score:3)

      by Guignol ( 159087 )
      Try This One Trick Grammar Nazis Quickly loose their temper with

    • It's almost as if [youtu.be]...

  • Hmmm... Can you sense the 'keyboard check?' (Score:5, Interesting)

    by david.emery ( 127135 ) on Tuesday May 18, 2021 @11:03AM (#61396438)

    Could the check for Russian/Ukranian/Cyrillic keyboard be used as a signature for malware?

    • Could the check for Russian/Ukranian/Cyrillic keyboard be used as a signature for malware?

      Not exactly because they are not actually checking for a "Russian/Ukranian/Cyrillic keyboard", they are querying the system keyboard layout. Specifically, they are using querying the keyboard driver (most likely calling GetKeyboardLayout() in User32.dll) either directly or indirectly. However, you could do an end run and check values in HKEY_CURRENT_USER\Keyboard Layout\Preload. They aren't specifically querying, "is this a Russian layout" so programmatically determining what they do with the value is no

      • Thanks!

      • Re:Hmmm... Can you sense the 'keyboard check?' (Score:4, Funny)

        by phantomfive ( 622387 ) on Tuesday May 18, 2021 @04:02PM (#61397636) Journal

        Beyond simple signatures, Windows antivirus engines rely on collective behavioral information so that they can find entirely new threats. This means they have "red flags" (e.g. is it a compressed executable?)

        These "red flags" can't work too well, because I'm pretty sure "encrypting entire hard drive and deleting backups" is a blazing bright flaming red flag and they're not detecting it.

      • Re: (Score:2)

        by jabuzz ( 182671 )

        One potential legitimate reason would be to automatically select the localization of your program to the user. For most programs though this is something you would do at install time not runtime.

    • Re:Hmmm... Can you sense the 'keyboard check?' (Score:4, Interesting)

      by kot-begemot-uk ( 6104030 ) on Tuesday May 18, 2021 @02:40PM (#61397408) Homepage
      First of all, I highly doubt the veracity of the idea. Cyrillic virtual keyboards were a thing in the days of Windows 3.11 and 95/98. People were still using them occasionally in the days of XP, but not any more. The foreign language support in Windows 7,8 and 10 is so good that you do not need any of that crap. Linux dealt with that even earlier.

      Second, checks for installed languages will not work. Once you add up all students of particular languages, immigrants, researchers, etc you get > 10-15% of the population with Cyrillic support installed. Add to that other "countries to avoid" which play role in the flow of criminal funds - namely several latin alphabet Eastern European countries and the Baltic states and the percentage is probably > 20%.

      At the same time, plenty of people in Eastern Europe do not have Cyrillic support installed. Though the people who do not have it installed are probably also those who are least likely to complain.

      IMHO, this whole thing is a red herring. There are more than enough geoip services nowadays for malware to determine which country it is in. It does not need to do "those weird tricks Russian hackers hate".

      • Re: (Score:2)

        by jabuzz ( 182671 )

        Firstly I think you are missing the fact that there are so many marks out there for the ransomware gangs that super accurate detection of location is not necessary. A quick screen of has Russian layout, move on is adequate for their purposes.

        Second what do you do on an air gaped machine? These are juicy targets for ransomware but geoip is not going to help.

  • false flag (Score:3)

    by e3m4n ( 947977 ) on Tuesday May 18, 2021 @11:03AM (#61396440)
    What prevents false flag operations where these malware are reengineered to include eastern european targets but keeping the money flowing to the original hacker groups? Isnt that like one of the oldest military plays in the books? Get your enemies to turn against each other and weaken themselves from the inside? Why has that not been done to get those authorities involved.

    • Re: (Score:2)

      by Wokan ( 14062 )

      Seconded. Can probably piggyback on their own C&C if all you're changing is the language restrictions.

    • Also this could be a signature that other ransomware was already present. The central premise of ransomware is it forces the business to pay to decrypt their own data. If multiple ransom ware are working at the same time, it might be difficult to decrypt the data. Businesses will stop paying if they cannot decrypt the data.

  • I don't think its russian law enforcement .... (Score:5, Insightful)

    by Viol8 ( 599362 ) on Tuesday May 18, 2021 @11:05AM (#61396464) Homepage

    ... they're bothered about. If they accidentaly created a cyberattack on one of the many russian corporations that have more than a passing association with the russian mafia then the hackers future prospects if caught might be rather short and unpleasant.

    • Re: (Score:2)

      by hey! ( 33014 )

      The CIA also has the capability to do unpleasant things. I'm just sayin'.

      • The Russian mafia is basically all the out of work CIA agents embedded in russia who were let go once the USSR fell.

        • Re: (Score:3)

          by gtall ( 79522 )

          You sound alt-left but your comment is so stupid it must be alt-right.

        • There were no CIA "agents" embedded in Russia who stayed there..these would only be assets. Agent has a special meaning in the context of federal agencies and usually with the CIA means "Case Officer."

          • Re: (Score:2)

            by ghoul ( 157158 )
            We were discussing the CIA types who do wetwork. Those arnt agents either. Lets say assets is the correct terminology. The basic idea stays the same

    • Re:I don't think its russian law enforcement .... (Score:5, Interesting)

      by PolygamousRanchKid ( 1290638 ) on Tuesday May 18, 2021 @12:02PM (#61396736)

      It's definitely a mafia thing, but the Russian government has ties to the mafia, and gives "guidance" to the ransomware gangs.

      In the Italian mafia families, there is a "boss" who controls an "area". If you are a small-time criminal operating in the area, you need to get permission of the boss to work in his area. The boss will demand a "taste" or "piece of the action" or a share of your profits. Also, the boss may place restrictions on your operations, like do not rip off old grandmothers or sell drugs to school kids.

      In Russia, Putin is the "Capo die Capi" or "Boss of Bosses". Ransomware gangs are permitted to operate in Russia, as long as they don't attack any Russian institutions . . . or make themselves a public relations liability.

      In the case of DarkSide, hitting a few non-critical companies was OK with Putin. Seriously crippling the gasoline supply on the East Coast of the US brought unwanted attention and has forced this issue onto the global scale, which will now need to be addressed at the upcoming Biden / Putin summit. Neither Biden nor Putin wanted to have to deal with this, as they have enough cats to skin together.

      Mafiosi hate media attention, because it is bad for their business. They like hiding in their shadows. This is why Putin pulled the plug on DarkSide. It wasn't personal . . . it was strictly business.

  • This is like those "Cosmo" articles... (Score:3)

    by JoeDuncan ( 874519 ) on Tuesday May 18, 2021 @11:17AM (#61396530)
    ... "Try This One Weird Sex Trick That Will Really Make Your Man Scream!"

  • There are already plenty of ransomware-as-a-service tech companies leading the market.

    Where's their prospectus?

  • Or maybe...just maybe if people ran their accounts Least Privileged (without Admin credentials)...this whole problem would go away.

    • That would vanish the instant people decided to actually install any sort of software or perform any sort of necessary driver update. The constant warning spam becomes just another EULA Accept box to click before your shit installs.

    • Odds are you have read/write access to whatever data/documents you use on a daily basis. Not having admin rights may keep the ransomware from locking up system files but those aren't what its after. It wants the stuff you use on a daily basis. Getting to the network share where a team stores all of their day to day stuff is plenty, no need to actually mess with the file server itself or even the OS on the workstations.

      Proper backups are the only solution here. But many places don't do them, don't them prope

    • Re: (Score:2)

      by lsllll ( 830002 )
      That doesn't solve any problem. As a non-privileged user, it still have access to all your files read/write and encrypt them. It may not be able to embed itself into the system so that it executes again on the next boot, but it can come up with a warning like "Do not reboot your system or you'll lose your files. Also, if you don't pay me $2 for coffee, you'll lose your files."
      • Installing language software is one neat trick, for sure, but it only adds one more step of actual work for malicious actors to confirm an intended target and then override their built-in fail safe.

  • Smart! (Score:5, Funny)

    by excelsior_gr ( 969383 ) on Tuesday May 18, 2021 @11:34AM (#61396602)

    Step 1: Develop malware that will not attack computers with virtual russian keyboards.
    Step 2: Let the word spread that installing a russian keyboard is a simple measure for avoiding said malware.
    Step 3: Produce virtual keyboard software infested with malware and backdoors.
    Step 4: Watch as users willingly download and install your keyboard malware app.
    Step 5: Profit!

  • Please don't (Score:5, Insightful)

    by campuscodi ( 4234297 ) on Tuesday May 18, 2021 @11:41AM (#61396640)
    Please don't. The advice is stupid: https://twitter.com/fwosar/sta... [twitter.com]
  • Summaries are supposed to Summarise the story. Not be simple a cut and paste of its first paragraphs. Do your job.

  • Based on the first few dozen comments, no one here pays attention to security.

    Otherwise, you'd know who Brian Krebs was. I look at his page every weekday, and have for close to 10 years... but then, until I retired, I was a sr. Linux sysadmin.

  • They are all attacking the west, at will, while here, we go after criminals, wether they attack us or criminal nations like those.
    Time to allow western crackers to go after nations like this.
  • I'll just add both Chinese and Russian to my language list and hope for the best. lol

  • Install Linux.

    They hate it when everyone is actually running a different OS than what their malware targets.

  • Colonial Pipeline ATTACK!!!1!! (Score:4, Informative)

    by CubicleZombie ( 2590497 ) on Tuesday May 18, 2021 @02:58PM (#61397454)

    Hackers shut down the billing system. Management shut down the pipeline because they were afraid they wouldn't get paid [jalopnik.com].

    • Hackers shut down the billing system. Management shut down the pipeline because they were afraid they wouldn't get paid [jalopnik.com].

      Your local fast food joint shuts down if it can't get paid, your gas station shuts down if it can't get paid, your bank shuts down if it can't get paid, the super duper mart shuts down if it can't get paid. I don't know what your truck driver does if you can't get them a paycheck, not much I'd guess. Just to point out the obvious, billing systems are a tad important chief.

      Also, Colonial wants the image of a secure separate network that was totally safe the whole time, but the reality anyone that's ever wo

      • Re: (Score:1)

        by ebvwfbw ( 864834 )

        I bet that guy wants to be paid when he works. It's amazing how people think if it's a company it's no big deal. As if there is a money fairy or something.

Slashdot Top Deals

FORTRAN is not a flower but a weed -- it is hardy, occasionally blooms, and grows in every computer. -- A.J. Perlis

Close