Originally this article was going to be about The DarkSide group breaking up and shutting down shop after losing access to their servers and all their funds (as documented in this post from the Washington Post). But in doing some research, I found something out a bit more interesting that I felt would be conducive to sharing with you, our dear reader.
According to Brian Krebs and our partner Cybereason, DarkSide developed ransomware strains that WON’T install on end-points if it detects a Cyrillic virtual keyboard is installed. That’s right, you could potentially save yourself from a costly ransomware infection simply by installing a virtual Cyrillic keyboard on your Windows machine.
Here’s the skinny; the Kremlin apparently could care less when Russian citizens commit cybercrimes outside their borders. As a student of history I know that outside of Peter the Great’s attempt to modernize the Russian world and bring it in step with the west, they’ve been pretty insular and untrusting of outsiders. The Russians believe that “they” (meaning we Americans and other, western non-Russians) get what they deserve for the most part.
Simply put, outside of few friendly nations like those who made up the former Easterns Block, the Russians won’t prosecute cybercrime criminals. To ensure they don’t make some sort of boneheaded mistake, the developers included the failsafe mentioned above. The presence of a Cyrillic virtual keyboard is in their mind, a good indicator of whether or not their target is a comrade, born of Mother Russia or a “Pindo” (an slut used by Russians to describe Americans and other westerners).
According to the research done by Cybereason, there are 17 countries on the “Do Not Infect” list included in DarkSide’s code. Those countries are:
- Russia
- Ukraine
- Belarus
- Tajikstan
- Armenian
- Azerbaijan
- Georgia
- Kazakhstan
- Kyrgyzstan
- Turkmenistan
- Uzbekistan
- Tatarstan
- Romania
- Moldovia
- Syria
All of these countries either belong to the former Eastern Bloc or are personally friendly with Papa Putin and the Kremlin.
Now, we have to note something here that’s important. Installing a virtual keyboard for one or more of the countries listed above is NOT a foolproof way of avoiding a ransomware infestation. The Cybereason blog and the Krebs article both acknowledge this and we have to as well. There are PLENTY of ransomware strains out there that AREN’T restricted by something simple as language preference. But if something THAT simple can protect you from the various DarkSide ransomware strains currently circulating, is it worth NOT installing an alternative keyboard? It’s free. It’s easy to install. You don’t have to worry about updates or anything like that.
If you’re tech-savvy, you probably already know how to install such a thing through the settings panel on your computer. If not, the fine folks over at Unit221B a New York-based Cybersecurity Investigative firm have developed a simple script (hosted here on GitHub) that does it for you, simply by clicking on the link provided on the GitHub page.
I only recommend you do that on your personal computer, and not your work machine, at least not before you run the idea by your place of work’s friendly neighborhood IT or InfoSec professional.