In a Twitter discussion last week about ransomware attacks, KrebsOnSecurity noted that virtually all strains of ransomware have built-in security designed to cover the backs of malware vendors – they just won’t install on a computer. Microsoft Windows which has some virtual keyboards installed (such as Russian or Ukrainian virtual keyboards). In a post, the cybersecurity specialist explained this strange cyber defense trick.

The Twitter thread was brought up during a discussion of the Colonial Pipeline ransomware attack. For the record, the company was the victim of one of the most publicized ransomware attacks in its history, which resulted in the closure of a vital artery used to deliver gasoline and diesel and kerosene from refineries on the coast. from the Gulf of Mexico to distribution points on the east coast. The operators of the Darkside ransomware are believed to be responsible for the attack. Computer firm Secureworks believes that Russia-based criminals (which it dubbed Gold Waterfall) have been operating since August last year as a commission-based affiliate operation, and that they are an offshoot of the famous Revil ransomware team.

“Darkside ransomware appears to have been created independently of REvil or GandCrab, but has several architectural similarities that suggest the author of Darkside is familiar with these families,” Secureworks states in a research review.

KrebsOnSecurity notes that DarkSide and other lucrative Russian-language affiliate programs have long prevented their criminal associates from installing malware on computers in a multitude of Eastern European countries, including Ukraine and the United States. Russia. This ban dates back to the early days of organized cybercrime and aims to minimize the control and interference of local authorities.

In Russia, for example, local authorities generally will not initiate a cybercrime investigation against one of their own unless a company or person within the country’s borders files a formal complaint as that victim. Making sure that no affiliate can cause victims in their own country is the easiest way for these criminals to stay away from national law enforcement agencies.

In a post on his Shame on Victims blog, DarkSide attempted to say he was “apolitical” and unwilling to participate in geopolitics: “Our goal is to make money, not to create. problems for society, ”the DarkSide criminals wrote last week.

But KrebsOnSecurity believes that digital extortion operators like DarkSide take great care in making all of their platforms geopolitical, as their malware is designed to only work in certain regions of the world.

DarkSide, like many other malware strains has a hard-coded list of countries it should not install which are the main members of the Commonwealth of Independent States (CIS) – former Soviet satellites that mostly maintain favorable relations with the Kremlin. The full list of exclusions in DarkSide (posted by Cybereason) is below:

Simply put, countless strains of malware will check the system for the presence of any of these languages, and if detected, the malware will stop and not install itself.