Cyrillic Keyboard Shields from DarkSide Ransomware

by

May 18, 2021

Originally this article was going to be about The DarkSide group breaking up and shutting down shop after losing access to their servers and all their funds (as documented in this post from the Washington Post). But in doing some research, I found something out a bit more interesting that I felt would be conducive to sharing with you, our dear reader.

According to Brian Krebs and our partner Cybereason, DarkSide developed ransomware strains that WON’T install on end-points if it detects a Cyrillic virtual keyboard is installed. That’s right, you could potentially save yourself from a costly ransomware infection simply by installing a virtual Cyrillic keyboard on your Windows machine.

Here’s the skinny; the Kremlin apparently could care less when Russian citizens commit cybercrimes outside their borders. As a student of history I know that outside of Peter the Great’s attempt to modernize the Russian world and bring it in step with the west, they’ve been pretty insular and untrusting of outsiders. The Russians believe that “they” (meaning we Americans and other, western non-Russians) get what they deserve for the most part.

Simply put, outside of few friendly nations like those who made up the former Easterns Block, the Russians won’t prosecute cybercrime criminals. To ensure they don’t make some sort of boneheaded mistake, the developers included the failsafe mentioned above. The presence of a Cyrillic virtual keyboard is in their mind, a good indicator of whether or not their target is a comrade, born of Mother Russia or a “Pindo” (an slut used by Russians to describe Americans and other westerners).

According to the research done by Cybereason, there are 17 countries on the “Do Not Infect” list included in DarkSide’s code. Those countries are:

  • Russia
  • Ukraine
  • Belarus
  • Tajikstan
  • Armenian
  • Azerbaijan
  • Georgia
  • Kazakhstan
  • Kyrgyzstan
  • Turkmenistan
  • Uzbekistan
  • Tatarstan
  • Romania
  • Moldovia
  • Syria

All of these countries either belong to the former Eastern Bloc or are personally friendly with Papa Putin and the Kremlin.

Now, we have to note something here that’s important. Installing a virtual keyboard for one or more of the countries listed above is NOT a foolproof way of avoiding a ransomware infestation. The Cybereason blog and the Krebs article both acknowledge this and we have to as well. There are PLENTY of ransomware strains out there that AREN’T restricted by something simple as language preference. But if something THAT simple can protect you from the various DarkSide ransomware strains currently circulating, is it worth NOT installing an alternative keyboard? It’s free. It’s easy to install. You don’t have to worry about updates or anything like that.

If you’re tech-savvy, you probably already know how to install such a thing through the settings panel on your computer. If not, the fine folks over at Unit221B a New York-based Cybersecurity Investigative firm have developed a simple script (hosted here on GitHub) that does it for you, simply by clicking on the link provided on the GitHub page.

I only recommend you do that on your personal computer, and not your work machine, at least not before you run the idea by your place of work’s friendly neighborhood IT or InfoSec professional.

Carl Keyser is the Content Manager at Integris.

Keep reading

Strong Cybersecurity Postures: How to Unleash their Power

Strong Cybersecurity Postures: How to Unleash their Power

In the vast digital landscape where virtual dragons and sneaky trolls roam a strong cybersecurity posture has never been more important. Imagine a band of modern-day knights led by our protagonist, Alex. Armed with a trusty laptop and a cup of coffee, Alex navigates...

How to Spot a Phishing Attack in 2023

How to Spot a Phishing Attack in 2023

In 2023 cyber threats lurk behind every tree trunk in today's digital jungle, and cybersecurity awareness is more critical than ever. Among the craftiest of these threats are phishing attacks. Phishing attacks are cunningly engineered with social manipulation at their...