Code in ransomware attack to avoid computers that use Russian
July 12, 2021
303         0

by Youpal News Syndication

WASHINGTON — The computer code behind the massive ransomware attack by the Russian-speaking hacking ring REvil was written so that the malware avoids systems that primarily use Russian or related languages, according to a new report by a cybersecurity firm.

It’s long been known that some malicious software includes this feature, but the report by Trustwave SpiderLabs, obtained exclusively by NBC News, appears to be the first to publicly identify it as an element of the latest attack, which is believed to be the largest ransomware campaign ever.

“They don’t want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way,” said Ziv Mador, Trustwave SpiderLabs’ vice president of security research.

Biden said Tuesday his administration has not yet determined where the latest attack originated. It does not appear to have had a significant disruptive impact inside the U.S., but it is being called the largest ransomware attack in history by volume, having infected some 1,500 organizations, according to security researchers.

The attack was particularly sophisticated, using a a previously unknown software flaw — a so-called “zero day” vulnerability — to infect an IT firm, that then infected other IT firms, that then infected hundreds of customers.

Trustwave said the ransomware “avoids systems that have default languages from what was the USSR region. This includes Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Romanian, Russian Moldova, Syriac, and Syriac Arabic.”

Can cyber insurance keep up with the growing number of ransomeware attacks?

In May, cybersecurity expert Brian Krebs noted that ransomware by DarkSide, the Russia-based group that attacked Colonial Pipeline, “has a hard-coded do-not-install list of countries,” including Russia and former Soviet satellites that mostly have favorable relations with the Kremlin.

In general, criminal ransomware groups are allowed to operate with impunity inside Russia and other former Soviet states as long as they focus their attacks on the United States and the West, experts say.

Krebs noted that in some cases, the mere installation of a Russian language virtual keyboard on a computer running Microsoft Windows will cause malware to bypass that machine.

The Biden administration is trying to harness global support to pressure Russia and its neighbors to crack down.

This content was originally published here.

subscribe for YouMedia Newsletter

Leave a Reply

Your email address will not be published. Required fields are marked *

subscribe for YouMedia Newsletter