Code In Huge Ransomware Attack Written To Avoid Computers That Use Russian, Says New Report (nbcnews.com) 123
The computer code behind the massive ransomware attack by the Russian-speaking hacking ring REvil was written so that the malware avoids systems that primarily use Russian or related languages, according to a new report by a cybersecurity firm. NBC News reports: It's long been known that some malicious software includes this feature, but the report by Trustwave SpiderLabs, obtained exclusively by NBC News, appears to be the first to publicly identify it as an element of the latest attack, which is believed to be the largest ransomware campaign ever. "They don't want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way," said Ziv Mador, Trustwave SpiderLabs' vice president of security research.
Trustwave said the ransomware "avoids systems that have default languages from what was the USSR region. This includes Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Romanian, Russian Moldova, Syriac, and Syriac Arabic." In May, cybersecurity expert Brian Krebs noted that ransomware by DarkSide, the Russia-based group that attacked Colonial Pipeline in May, "has a hard-coded do-not-install list of countries," including Russia and former Soviet satellites that mostly have favorable relations with the Kremlin. In general, criminal ransomware groups are allowed to operate with impunity inside Russia and other former Soviet states as long as they focus their attacks on the United States and the West, experts say. Krebs noted that in some cases, the mere installation of a Russian language virtual keyboard on a computer running Microsoft Windows will cause malware to bypass that machine.
Trustwave said the ransomware "avoids systems that have default languages from what was the USSR region. This includes Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Romanian, Russian Moldova, Syriac, and Syriac Arabic." In May, cybersecurity expert Brian Krebs noted that ransomware by DarkSide, the Russia-based group that attacked Colonial Pipeline in May, "has a hard-coded do-not-install list of countries," including Russia and former Soviet satellites that mostly have favorable relations with the Kremlin. In general, criminal ransomware groups are allowed to operate with impunity inside Russia and other former Soviet states as long as they focus their attacks on the United States and the West, experts say. Krebs noted that in some cases, the mere installation of a Russian language virtual keyboard on a computer running Microsoft Windows will cause malware to bypass that machine.
Favourable relations with the Kremlin? (Score:1)
I have my doubts.
Looks more like a list of former socialist shitholes they know they can't ransom a lot of money from because their beloved Soviet Union raped those economies so hard they're beyond repair for the next century.
In Russia (Score:3)
Re: (Score:3)
Yes, I expect that the explanation is that if they were crashing computers in Russia, Putin would come down hard on the hackers, but as long as they only crash computers outside the Russian circle, he doesn't care (or even supportive)
Re: (Score:3)
That assumes Putin has significant internal control over Russia. Reality is the opposite. That's why local governments in Russia openly defy Putins federal decrees as a matter of routine, commonly doing the exact opposite of what's decreed.
Re: (Score:2)
Re: (Score:2)
Go and watch Putin's yearly marathon Q&A sessions. Those are public. They can be divided into two fairly distinct parts. Half is professional reporters asking Putin typical reporter questions. Policy this, reaction to recent event that.
And other half can be best described as "people from all other Russia coming to Moscow to beg Putin to do something about their local government doing illegal things without caring about Russian Federal law and edicts from Federal government. And it was that way for years
Re: (Score:2)
Because in Russia, Putin is the head of Federal government. He can do little to nothing about things happening in Russia on local level. It's not what Federal government in Russian Federation does. Their primary responsibilities are national security and foreign policy. It's why he's "a dictator" to us, and a mix between a helpless idol and a pointless moron for Russians. As the Russian saying goes, "Moscow is far away".\
Oh please, that's just good old public corruption. It's Putin's friends and supporters doing the dirty deeds so they get a free ride. Say one thing, do another, that's how corrupt societies operate in all countries, including the west.
On the other hand if some of his friends should be inconvenienced by dissension or hacking, see how quickly the perpetrators disappear into a hole somewhere, possibly literally.
Re: (Score:2)
You get to choose between "massive corruption" and "firm central control". One disrupts the other.
Re: (Score:2)
Massive corruption. More so than in Russia. Societal model is pretty much the same too.
What, did you miss your Great Leader's last five years or so of massive campaign of executing local leadership on public TV. You don't even need to ask me. Just ask comrade Xi.
Re: (Score:2)
There is firm control in issues which are in purview of central government. You know, disaster relief, foreign policy, extermination of enemies of the people?
Things like budgetary issues, infrastructure projects, local policing and prosecution? Yeah, central government can't really do anything relevant. Again, refer to comrade Xi's mass purges of local elites over last half a decade or so, which didn't make even a meaningful dent in local Chinese government corruption.
Re: (Score:2)
I've no idea, I'm not a linguist. I'm just expertly fluent in both English and Russian in addition to my native Finnish (NATO level 4 in both). I just rarely make the effort to be as fluent as I can be on message boards. One doesn't employ the same etiquette in a three star Michelin restaurant and a McDonalds. It is quite possible that I used wrong syntax because when I think of content I've heard in Russian, like many people with high level of language fluency in multiple languages I tend to start thinking
Re: (Score:1)
Firstly, the majority of computers in those countries do not have the local language as a primary language. Only a dumbf*ck n00b and his pensioner mom will have it set with native as the primary. Everyone else has English as primary with additional local language support for keyboard and editor as well as local spellcheck. The reason for this is that most western software including the OS itself is not localized correctly and you can barely understand what the f**k does a particula
Re:Favourable relations with the Kremlin? (Score:4, Informative)
Your doubts are correct. Firstly, the majority of computers in those countries do not have the local language as a primary language.
It's not the language, it's the keyboard. If you think people in Russia use English-language keyboards, you've never travelled outside the English-speaking world.
Here's Krebs https://krebsonsecurity.com/20... [krebsonsecurity.com]
"They [the malware programs] simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian."
Re: (Score:1)
Re: (Score:2)
It's not the language, it's the keyboard. If you think people in Russia use English-language keyboards, you've never travelled outside the English-speaking world.
Actually, Russian keyboard uses exactly the same physical layout as the standard US keyboard. If you know the keys' locations, you can use any US keyboard to type Russian once you install the Russian keyboard layout in your favorite OS.
Re: (Score:2)
Almost no one uses english as primary in countries where english isn't commonly spoken. Most of the world is made of countries where english isn't commonly spoken.
Re:More inflammatory speculation (Score:5, Insightful)
What is speculative about a hard-coded list of places where malware will not attack?
Re: (Score:1, Troll)
What is speculative
Authorship. [wikipedia.org] Attribution of cyber attacks is an exceedingly difficult problem. If you aren't sure who sabotaged Natanz [wikipedia.org], you shouldn't be sure about this one either.
Re: (Score:2)
Re: (Score:2)
Saying something is speculation doesn't mean it's not true. It means you don't know whether it's true.
Re: (Score:1)
Re: (Score:2)
What is speculative
Authorship. Attribution of cyber attacks is an exceedingly difficult problem.
Attribution may be difficult, but this article doesn't attribute. It just points out that the malware doesn't install on systems that use Cyrillic. That possibly narrows down the list of where it came from.
Re: (Score:3)
Re: (Score:3)
That possibly narrows down the list of where it came from.
No, that's what's speculative. Nobody would stop you from putting that in a malware you write. Even a small-time criminal with no political affiliations would have motive to use a red herring.
Re: (Score:2)
What is speculative about a hard-coded list of places where malware will not attack?
The speculation is the motivation for the hard coded list.
You can't imagine a Chinese hacker throwing that well-known "signature" into their ransomware attack to throw off investigators?
Re: (Score:2)
The malware was attributed to a specific Russian gang (REvil) well before the existence of this mechanism was publicized. We can argue over why some items on the list were included, but unless you reject the previous attribution, which is consistent with the details of this report, the "speculation" is merely over the degree to which the details of the list are due to (a) convenience of the criminals, (b) desire to not draw home-country attention, and (c) explicit agreements with those countries' attention
Re:More inflammatory speculation (Score:5)
Re: (Score:3)
Seems a bit amateur hour though, I mean why not also block NK, Iran and China, just to add some extra confusion? They aren't going to be getting much money out of those countries anyway, Europe and the US are the cash cows.
Re:More inflammatory speculation (Score:5, Informative)
Not true. Taiwan has it's own dialect and experts say it's a misnomer to call all Chinese dialects a single language. I live in China. When I watch movies from Hongkong, my local friends want subtitles in simplified Chinese. HK and other Cantonese, use traditional characters. Tiawan's dialect is also rather distinct but I am not sure which character set they use.
Re: (Score:2)
Windows does include a separate setting for "Chinese (Taiwan)" and accompanying locale settings.
Re: More inflammatory speculation (Score:1)
Re: (Score:2, Offtopic)
Itâ(TM)s more complicated than that. Cantonese and Mandarin are different spoken languages, but can use the same ideographs. Taiwan and Hong Kong both use traditional Chinese ideographs, but Taiwan speaks Mandarin while Hong Kong speaks Cantonese. In mainland China, both Mandarin and Cantonese are written using simplified ideographs.
In general, Mandarin grammar is stricter than Cantonese - pretty much any written Mandarin can be read as valid Cantonese, while the reverse is not necessarily true. Th
Re: (Score:2)
Re: (Score:2)
Manchurian is basically a dead language as far as I understand. If you look at it, it's not like Chinese at all. Reminds me more of arabic languages but I have a feeling it has a bit more of separate linage. I am not a expert in languages and I know virtually nil about Manchurian other than that I have never seen it.
Yes, the aspects you mention are a bit more like accent. The example you give is not really part of the local languages such as Sichuan, Shanghai, or Qinghai. I live in Qinghai. The dialect here
Re: More inflammatory speculation (Score:1)
Re: (Score:2)
I think a lot of it's cultural and probably a lot less politically. I think with Shanghai and Beijing it perhaps has more of political nature. However, for groups like Sichuan, it's a lot about just having their own cultural identity. In Sichuan they say, "Hot weather, hot food, and hot girls". There is actually a bit of double play here too where you could even say "spicy girls", as in some areas like Chongqing, the women are known to be very dominate over "their men". Then in areas like Qinghai, the mix o
Re: (Score:2)
Taiwan uses traditional chinese charset.
Afaik people who speak Cantonese on China mainland also use simplified Chinese for writing but maybe it's a mixture.
Re: (Score:2)
Everywhere you block is "lost business". You don't block anyone you don't have to.
It's a bit like restricting your advertising. If you're going to make false claims, the only places you don't want to advertise are places that will get you investigated and shut down. Everywhere else is your "market".
Re: (Score:2)
Nah, that is a too convoluted explanation, especially when you consider that some of the languages are the languages of countries Russia had a war with (Georgian, Ukrainian) and others (Romanian, Syriac) have nothing to do with Russia.
My guess is that the ransomware developers simply didn't want to bother with piss poor people.
Re: (Score:3)
Another simple explanation is that its countries of origin of the group members. If I was in a hacking group taking down infrastructure I'd quite like to make sure my friends and family didn't suffer.
Re: More inflammatory speculation (Score:2)
Re: (Score:1)
A lot was also "already known (rather than speculated) about relationships between" Iraq and al Qaeda. Anybody denying it was a goddam Saddam Hussein shill.
Is there any evidence of the relationship between hackers and the Russian secret service? Other governments saying there is evidence while declining to produce that evidence is not evidence at all. Some of us here remember the Iraq invasion of 2003.
Re: More inflammatory speculation (Score:2, Informative)
Re: (Score:2)
More like Russia wants war with world, comrade.
Time to pull a Putin, and turn off the internet pipes into Russia.
So... (Score:3)
You can facefuck Russia by releasing a virus that sets the computer language to English?
Re: (Score:2)
I doubt it. There are quite a few Russians that read (and speak) English passably well.
Re: (Score:2)
I think that what he's suggesting is that if a virus set language to English, then the malware that doesn't install on computers using Russian would now target those computers.
OK, maybe. But the users would notice and fix the problem immediately. (How long would it take for you to notice if your keyboard suddently was set to Russian?)
Re: (Score:1)
Same way you can facefuck America by releasing a virus that sets the computer language to Spanish, yeah.
Some people will speak it. Most won't.
Re: (Score:2)
You can facefuck Russia by releasing a virus that sets the computer language to English?
Or recoding the ransomeware to only attack those hard coded countries. Someone has given you a weapon that with some mods you can now use.
Why not just write a nice virus (Score:3)
That only selects computers that use Russian?
It seems like there is not enough outrage or "operations" that seem to be targeting the ransomeware "gangs", many of which should be falling out of windows or getting harpooned with an umbrella.
Re: (Score:1)
So what could you get from attacking a ransomware gang?
Targets of political, but little financial value, are usually not interesting to criminals. Criminals are not likely to waste their valueable zero day exploits on targets that couldn't possibly net them a profit, unless they're getting paid by someone else, like a state or pri
Re:Why not just write a nice virus (Score:4, Insightful)
You make it sound like it's trivially easy to make someone disappear in a foreign country while also able to maintain plausible deniability. It's one thing to drone one of your own citizens, or a military commander which technically is also considered an act of war, but state sponsored execution of foreign nationals on foreign soil usually does not buy a you a lot of favours international, even if it is against "a common enemy".
As it is the world is largely critical of the USA still having the death penalty, but sure if you want to burn what little good will you have left then execute a death penalty without due process on a foreign national on foreign soil for doing something which wouldn't even qualify for that punishment domestically.
Re: (Score:2)
Personally I'd be much more inclined to designa
Is it hardcoded? (Score:4, Interesting)
Is it hardcoded, or does it audit for the default language setting? Also, if they're getting some sponsorship from Russian government or businesses, it could make sense not to raise harsh questions by simply avoiding the turf of a nation whose president was the former, very competent head of their primary intelligence agency and whose agency engages in assassination.
Virtual Russian keyboard (Score:2)
Re: (Score:2)
Wonder why you felt the need to repeat yourself?
What does Putin think about this ? (Score:5, Interesting)
First: Putin must know that REvil operates on Russian soil. It is likely that the FSB know who they are. Why does he not stop them ?
* He does not care, they earn money from other countries, good for the Russian economy.
* He approves, it disrupts mainly Western organisations.
* He encourages REvil, maybe even helps them. For the reasons above
* He provides REvil with a list of targets. The targets help Russian foreign interests
* Some of the attacks contain other payloads and/or exfiltrate interesting information
* Other suggestions please
Similar questions should be asked about other countries from which malware originates, including: China, USA, Israel, ... I find it interesting that the only one where a link to the government is usually made is North Korea - the pretense that other countries do not is laughable.
Re: (Score:2)
I don't think the "income" value of these cybercriminals is that valuable. The net ransom collected is peanuts in terms of foreign income. Much of it probably ends up in non-Russian bank accounts anyway and what gets spent in Russia goes to various organized crime payoffs.
I'd wager Putin values the attacks for their publicity value against Western targets. I'd also guess there is some level of information sharing, either to cybercriminals in terms of pointing out vulnerable targets and almost surely in te
Re: (Score:2)
The soon to be completed Russian pipeline will give Putin a virtual hard currency pipeline back into Russia with the billions of barrels of oil he'll be pumping into Germany, paid for with Euros.
Russia doesn't need $7 million dollar ransoms to keep the country afloat, not when Biden let them finish the pipeline.
Re: (Score:2)
* Other suggestions please
No need. The simple answer is he approves, but then every leader in every nation approves with overwhelming indifference or sometimes little more than lip service when some private party attacks someone not friendly to their regime.
No doubt the USA would react to a breach of Chinese networks by Americans with a public display of "OH No!!!! ... is the camera still rolling? no? Ok lunch, who wants lunch?"
Re: (Score:2)
* Other suggestions please
No need. The simple answer is he approves, but then every leader in every nation approves with overwhelming indifference or sometimes little more than lip service when some private party attacks someone not friendly to their regime.
What you forget is that these are in retaliation of the restrictions the US and allies have put on Putin and his oligarch buddies directly, namely the sanctions that have been escalating since 2014, that is what is really hurting Putin and driving a wedge between him and his cronies.
Russia knows that we know that they know that we know they are behind it. They simply don't care. They want us to know they can apply this kind of soft pressure but in so doing have unwittingly said this is the best they can do
Re: (Score:2)
I'm not forgetting anything. The reason behind them is completely irrelevant as to government indifference to a 3rd party attacking a non-ally in a way not directly linked to the government.
Re: (Score:2)
* He provides REvil with a list of targets. The targets help Russian foreign interests
How great is it that President Biden gave Putin a printed list of targets in the US economy? Of course, Biden wrote "Do Not Attack" across the top, Putin just scratched out the "Do Not" part and handed it to REvil.
Re: (Score:2)
* it's not Russia. Russian isn't used only in Russia. It may be Ukraine or some other former Soviet republic.
Re: (Score:2)
Butthurt Trumpers are doing it because they like Russia and need their help next election.
You understand the extent of proven Russian involvement in the 2016 election was little more than a six-figure google/Facebook/Twitter ad campaign and a handful of pranksters stirring the pot to rile up Democrat and Republican voters, right?
Inaccurate. The greatest Russian involvement in the 2016 election was hacking into the computers of the DNC. See, for example: https://www.wsj.com/articles/m... [wsj.com]
Here is the text in the indictment:
"The Russian military officer in command of Unit 26165, located at 20 Komsomolskiy Prospekt, Moscow, Russia. Unit 26165 had primary responsibility for hacking the DCCC and DNC, as well as the email accounts of individuals affiliated with the Clinton Campaign. (source: https://www.justice.gov/file/1... [justice.gov] )
Re: (Score:2)
Your quote is a lot worse than inaccurate.
Here is the boss of Crowdstrike admitting they haven't got proof of anything done by anyone
https://www.realclearinvestiga... [realcleari...ations.com]
What does some right wing blog think about this ? (Score:2)
Not sure I give a damn about what some right-wing blog says trying to discredit the Mueller report, but
According to the blog you cite, though, the boss of Clearstrike said (1) the Russians hacked into the DNC computers, (2) they set up the data to be exfiltrated including the emails to a computer controlled by the GPU, (3) they didn't watch the exfiltration as it happened, but(4) the DNC emails showed up on Wikileaks shortly thereafter.
The blog is full of innuendo and assumptions, but still, it sounds like
Re: (Score:2)
I appreciate that you did effort to read it, even if not very well. The article is an example of good journalism. We've got a huge problem twith that once somebody has been appointed the bad guy, often with good reason, we'll believe anything bad told about him and after a while a whole body of myths is built up which takes on a life of its own, often doing damage in new ways whether you have a polarization into two sides or not. This article is about the lack of hard evidence the Crowdstrike boss has admit
Innuendo and cherry picking [Re:What does some...] (Score:2)
I appreciate that you did effort to read it, even if not very well. The article is an example of good journalism.
No. It's not a reliable source, and it did not link to a reliable source. (That's my main criterion for judging opinion columns that toss out purported facts: do they link to a source of the facts? If they don't, you can count on the fact that they don't actually want you to look at the facts.)
It's an opinion column. Random cherry picking is not "good journalism".
This was an 80-page interview of which the blog post quoted a few lines, and this was only one of many sources of information about the Russian ha
CIA has long been able to fake Russian prints (Score:1, Informative)
Remember when the CIA claimed Russian hacking due to finding "Russian" malware on infected systems? From Vault 7: CIA can customize the "fingerprints" hacks leave behind and make it look like someone else did it. [wikileaks.org]
Any "fingerprint" has long been completely shoddy evidence. Not just because the CIA can can put a Russian fingerprint on any hack, but because anyone else can too, because the CIA was so crap with their security that all the "fingerprints" they collected were leaked to hackers and rogue agents
Re: CIA has long been able to fake Russian prints (Score:2)
You're assuming their collection of hacks and fingerprinting are never updated. When one set of hacks becomes public, the flaws are patched. Then they move on to new hacks. Same with fingerprints I imagine.
Why do people still run windows? (Score:1)
We are at war on the cyber front, yet people are still driving around in a Honda accord rather than a hardened tank.
Yes, Linux and unix variants can still be hacked, but they start out much more hardened. If people could get over the fact that "office" and "exchange" really isn't that big of a deal, and switch, a lot of this pain wouldn't hit them.
Yet in their naiveté, they continue to drive the Honda accord into battle.
Re: (Score:2, Flamebait)
Perhaps the reason Linux seems immune from these types of attacks is because it is so hard to find a worthwhile target running Linux.You can talk all you want about billions of android phones or Linux web servers, but until multi billion dollar corporations start running their accounting systems on a Linux infrastructure, there will simply be no motivation to develop ransomware for Linux.
The fantasy that an open source operating system is somehow intrinsically more secure than a closed source operating syst
Nothing new here (Score:1)
It's been long known that many ransomware strains from Russian gangs can be bypassed by installing (and not even enabling) the Cyrillic keyboard. Great free insurance.
Re: (Score:2)
I heard that it helps to type some words in Russian from time to time, in Cyrillic letters certainly. Some viruses and malware even self-uninstall after that.
just cut Russia off the root DNS servers (Score:1, Troll)
Re: (Score:2)
World war three is the solution?
Re: (Score:2)
Re: (Score:2)
Brave of you to assume that whoever you sent would get in kicking range before nukes launched from their own side would incinerate them.
Re: (Score:1)
I'm living rent free in Chinese troll's head even outside China related threads. Mom, I made it!
Old fashioned privateering (Score:2)
Re: (Score:2)
US retaliation should be asymmetric (Score:2)
If the US gov would just retaliate with more hacking, this could start an escalation without clear end. Also the victims would be simple citizens instead of the effective criminals.
A better way to handle the situation would be to let some Wikileaks-like network publish private details about Putin and close oligarchs assets, and wipe out the hackers crypto accounts.
Wow, fascinating (Score:2)
So Russian hackers deploy ransomed are attack designed to avoid Russian computer systems - so what? A key part of the ransom ware attack strategy is to collect the money and live comfortably. If yo blindly attack every nations computer infrastructure, where will you go to live after you collect the money?
Also, perhaps the possibility that Russian oligarchs would send armed men after you instead of a ransom payment puts Russian computers on the "Do Not Attack" list?
Yes ... (Score:2)
So why is it Russia? (Score:2)
Do They Pay Taxes? (Score:2)
I'm sure there's some kind of tax aka protection money required by Russia and probably the other satellite states in order to "operate with impunity." Part of that is almost certainly the exemption of Russia and those states from attack by the malware. Of course, if Russia wants to attack one of those states (say, Ukraine) then all protections come off for that purpose. There are certainly distinguishing features in addition to language to work with.
Old news (Score:2)
Krebs pointed this out [krebsonsecurity.com] back in May
Dupe (Score:2)
Krebs pointed this out back in May
So did slashdot [slashdot.org].
Looks like I need to (Score:2)
invest in a russian keyboard (or at least install the drivers for one).
The TL;DR (Score:2)
old news (Score:1)
https://it.slashdot.org/story/... [slashdot.org]
Solution seems easy enough (Score:2)
Re: (Score:3)