It is well known that Russian cybercriminals are sparing businesses in their country in order to benefit from the laissez-faire of the local authorities. This is why some experts suggest that switching your keyboard to Russian would be enough to pass your computer as a Russian device, and therefore be spared by malware.
“Try this weird trick Russian hackers hate.” On May 17, well-known – and sometimes maligned – journalist Brian Krebs posted a bizarre blog post. His idea? Change its keyboard settings on Windows to ‘disguise’ it as a Russian keyboard. The goal? Get detected as a Russian system by malware, often coded in such a way as to spare Russian victims. If the malware detects it is on Russian system, it will not complete its installation, or even uninstall itself. Brian Krebs speculates that disguising the keyboard would abuse this system, and thus provide useful, if imperfect, protection against cyber threats.
Concretely the journalist proposes to deploy the subterfuge in two ways:
- Download (for free) the Windows virtual keyboards in one language of the countries free from Russian malware. Problem: the user risks unintentionally switching their keyboard to Russian (or other) by false manipulations. It’s easy to tip the other way, but it’s a friction that can become painful with use.
- Download a simple script, which applies the Russian registry without actually installing the virtual keyboard. It only applies a surface layer, making no operational change.
Barely published, the article drew powerful reactions. Fabian Wossar, technical director of Emsisoft, the company most mobilized in the response to ransomware attacks, has cracked a long criticism: “Within the ransomware research team, we often joke about what news ‘innovative’ way is going to be presented to us as the next big solution against ransomware. One of the recurring runnings-gags of the last 8 years has recently been transformed into a real recommendation: to change the layout of your keyboard to Russian.“
The researcher explains that a simple superficial change will not satisfy automatic malware detections. “Unless you really want to use your computer in Russian with a Russian keyboard, you will still get attacked,” he says. Importantly, he cautions that this kind of pro-Russian auto-check can be turned off with a single command. As a result, it is enough for the criminals to realize that the name of the company – scattered all over the computer – is not Russian to release their malware on the system, even if the user tries to write in Russian.
In the worst-case scenario, that of a ransomware attack, the keyboard subterfuge would be derisory. Once the malware has entered the system, it is already too late, because there is no reason to stop at a simple keyboard setting. “The hackers behind the ransomware will know everything about your business. They will know quickly and definitively if you are a real Russian company,” concludes Wossar.
Beyond the Keyboard, the Real Russian Question:
Despite this failure, Brian Krebs’ reasoning was based on a truthful observation. Cybercriminal gangs thrive in Russia thanks to the historic laissez-faire of local power. In return, they undertake – implicitly not to victimize the Russian sphere of influence. Concretely, this commitment translates into a list of countries not to attack, translated into technical terms in the code of their malware. We are talking here about the countries of the Commonwealth of Independent States, which brings together 9 of the 15 former Soviet republics (Russia, Azerbaijan, Uzbekistan, Belarus, etc.), of countries which left it at different times (Ukraine, Georgia, Tajikistan) or even from Syria.
As long as a company or a resident of these countries is not affected, the local authorities will never launch an investigation. In return, the Russians almost systematically turn a deaf ear to requests for collaboration from European or American law enforcement agencies.
But the Colonial Pipeline affair, from which Krebs’ reflection started, has for once called into question this mode of operation. And for good reason: the attack on the pipeline operator by the Darkside ransomware gang has led to a new diplomatic streak in already strained relations between the United States and Russia. While US President Joe Biden said there was no sign of Russian power involvement in the attack, he insisted the hackers were operating from Russian territory. Once again, he called on local authorities to intervene to stop the gang’s activity. In the aftermath of his statements, the online traces of Darkside’s IT infrastructure had disappeared: the host of their site reacted – for once – to a request from the authorities.
Because of the victim’s activity, the cyberattack mobilized the highest diplomatic officials, which put Russia in difficulty in its usual letting-go posture. The case had such an impact that major Russian hacker forums banned ransomware topics from their sites, while grumbling about the geopolitical threat attracted by the Darkside attack. They feared a closure orchestrated by the Russian authorities, who usually ignore them, and preferred to show a white paw.
One More Precaution, Although Unnecessary?
Despite criticism of his Russian keyboard subterfuge, Brian Krebs defends his position: “Is there really a downside to taking this simple, free, prophylactic approach? (…) The worst that can happen is that the user accidentally switches their menu options to Russian”. The journalist knows that this precaution will be unnecessary in the vast majority of cases. But for him, the rare incidents where the disguise will work are enough to justify his deployment. Fabian Wossar prefers to recall that we must first highlight the protections with showed effects, such as double authentication .
In short, if it is potentially useful against very basic malware, the keyboard trick is far from the hoped-for “vaccine” against the main Russian malware. But some laugh at the idea with sarcasm: what if to escape Russian cyberthreats, all you had to do was move your business to Russia?