HN Distilled

Essential insights from Hacker News discussions

Many ransomware strains will abort if they detect a Russian keyboard installed (2021)

Original Article

Hacker News Discussion

The Hacker News discussion revolves around several key themes related to cybersecurity, operating systems, and geopolitical implications of hacking.

Ransomware Origin and State Sponsorship

A significant portion of the discussion focuses on the origin of ransomware and its connection to state actors, particularly Russia. Users suggest that Russia and North Korea view ransomware as legitimate economic activity and a tool of hybrid warfare. The practice of Russian hackers targeting non-Russian entities is presented as a deliberate strategy to avoid prosecution within Russia.

  • "Russia along with north korea consider ransomware to be legitimate economic activity. It's part of their hybrid warfare strategy." (throwaway48476)
  • "When Russia arrests a hacker they're turned over to the GRU and told who to target." (throwaway48476)
  • "chisleu: It's simple for the malware to check. For instance, you don't want to hit a Russian oligarch's laptop w/ ransomware just because his GPS says he is in another country. You don't want to trust the outbound ip because they might be on a VPN, etc. This is more broad and simple and easy. Can you think of a better way?"
  • "exiguus: There is evidence that this will worked for ransomware like Patya and for groups like Fancy Bear or Cozy Bear and Conti. Mostly because the Russia gov. unofficial guaranties immunity if the target is not Russian. Also, if you identify as Russian or write Russian in the chats or mails to them, they will de-crypt your systems for free."
  • "fracus: The title alone is hilarious because it obviously implies, probably correctly so, that most ransomware comes from Russia."

The "Russian Keyboard" as a Malware Avoidance Tactic

The idea that malware might avoid systems with a Russian keyboard layout is a recurring point. This is seen as a technical "fail-fast" mechanism orchestrated by malware creators to self-police. The accuracy and effectiveness of this method are debated, with suggestions that other indicators like language settings or time zones could also be used.

  • "antonymoose: It is a fail-fast strategy to avoid internal prosecution for accidental attacks on fellow citizens."
  • "thaumasiotes: > If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game. What? This is an entirely separate concern. If you have a Russian input method installed, malware will terminate to avoid legal repercussions."
  • "Melatonic: Most windows servers are virtualised these days so I'm not sure this would work anymore. It might look at other indicators though"
  • "Melatonic: Seems like the safest would be standard Russian keyboard layout (or maybe just adding the reg keys mentioned) Also makes me wonder if installing a specific Chinese keyboard could have the same effect (for Chinese made ransomware or maybe even North Korean). Or perhaps they do other checks ?"
  • "bozhark: Could check month/date/time formats"
  • "charcircuit: You could check what language the operating is set to, or the browser bookmarks /history to name a couple. Checking installed keyboards is somewhat obscure and sounds like something someone cleverly came up with and I'm interested in how is sprea"
  • "zarzavat: Language wouldn't work, many bilingual people prefer to have their UI language set to English even if it's not their native language."
  • "I_am_tiberius: I'd be surprised if there isn't malware that targets specifically systems with cyrillic keyboard enabled."
  • "Razengan: I KNEW keeping a Russian keyboard to type ( ;´Д`) would have practical uses!"

Operating System Security and Best Practices (Linux vs. Windows)

A significant portion of the conversation debates the security and usability of operating systems, with Linux frequently contrasted with Windows. Users discuss the benefits of non-administrator accounts, the concept of defense in depth, and the general user experience of switching between operating systems.

  • "NoOn3: Anyway Just use Linux and you'll be fine for a while."
  • "Melatonic: The best anti malware on any version of windows has always been to make your default account you use everyday a non admin account."
  • "Melatonic: This is basically the default of how Linux works (sudo). It's also how any competent professional IT department will run windows."
  • "Phurist: Or you know... just use Linux"
  • "floundy: Every couple of years I give daily driving Linux a try. I still find that old joke about 'Linux is only free if your time is worth nothing' to be quite apt."
  • "sdoering: I switched to Ubuntu "skinned" with Omakub a few months ago. Never looked back. Work with Windows on my work machine and use my *nix box as my daily dev driver and machine for surfing the net, doing emails and documents. I actually use it for nearly everything except vector graphics/dtp & images, as I am still too used to the affinity suite."
  • "pkulak: Do you mind elaborating on what went wrong? Like, were you installing on a recent MacBook, or something else not well supported? In my experience, installing and running a popular distro is absolute cake. Easier than Windows, even, since you aren’t forced to create cloud accounts and answer a million privacy questions; you basically install then boot right into your new desktop."
  • "floundy: Used it on various devices. A Dell laptop (with power switching between dedicated and iGPU, what a nightmare that was for Linux display drivers), a desktop I built myself, a Raspberry Pi running RPi OS."
  • "fredfish: Every few years someone forces me to use Windows and I find that my data is apparently worth nothing since it being one giant anti-pattern wastes my time."
  • "floundy: I agree, I switched to Mac last fall with the incessant Windows 10 popups that my CPU is not supported and I can't upgrade to Windows 11, so buy a new PC chump or you'll be EOL! Okay, I bought a new PC Mr. Nadella, it just doesn't run Windows."
  • "Taek: I don't find it to be that way at all. I've used Debian as my daily driver for almost 10 years and I spend maybe... 30 minutes per year dealing with setup and configuration and stuff?"
  • "II2II: When you're making the transition from one operating system to another, there is going to be an investment of time. It doesn't matter whether you are moving from Windows to Linux or from Linux to Windows. When it comes to getting things done, each operating system is going to have its own strengths and weaknesses."
  • "pogue: I would recommend giving Linux Mint a try. It's very newbie friendly with a desktop like environment of Windows, automatic backup creation, and a store to install pretty much any software you need from."
  • "EvanAnderson: There's nothing magical about the Linux security architecture, when it comes to malware, aside from abysmal Linux market share. If it were popular it would be targeted. That's not to say there's no value. It's a case of security by obscurity, at best."
  • "johanneskanybal: Right tool for the job. Linux for deploying stuff to, Linux or mac for working on the stuff you’ll deploy. Windows for games and everyday use. They’re all superior in their category and it’s too obvious to spend time arguing about."
  • "cynicalsecurity: You don't need Windows for games since ages. Steam games run on Linux."
  • "eestrada: The best anti malware on any version of windows has always been to not run windows."
  • "fortran77: We're all very impressed that you're such a 1337 h4x0r that you run Arch Linux and not Windo$e."
  • "charcircuit: I would find the why more interesting. Is there a common library virtually all ransomware uses? Are virtually all ransomware copy pastes of each other? Is there a popular forum post detailing the trick?"
  • "NexRebular: ...where namespaces provide excellent technology for hiding malware making linux one of the best platforms to turn into a evil host."

Malware Evasion and Defensive Strategies

The discussion touches on specific techniques malware uses to evade detection and defenses that can be employed against it. This includes making systems look like sandboxes, the role of UAC in Windows, and the importance of basic security hygiene.

  • "ttul: If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game."
  • "ronsor: Put VirtualBox strings in your firmware :)"
  • "tripplyons: Yes, and don't forget to install the VirtualBox guest extensions in your host machine to make it looks even more like a VM!"
  • "thrtythreeforty: Is there any downside to unironically doing this? Seems like it'd actually work."
  • "DelaneyM: It’s not much harder to just harden your system to not be vulnerable in the first place, and that protects your from a lot more."
  • "ofjcihen: To be fair the vast, vast majority of exploitation that we see (especially in the news) comes from sub-par security setups and poor training/architecture. That’s no even going into security monitoring which most companies don’t or barely have."
  • "anonymars: How does that protect against ransomware?"
  • "petersellers: Limits the blast radius to only the files that the more limited user has write access to."
  • "Melatonic: Exactly - UAC is like a poor man's Sudo and I never really got the point of it. There is a reason so many people tried to disable it."
  • "EvanAnderson: There are UAC bypasses. Microsoft has repeatedly stated that UAC isn't actually a security boundary. It's better to run a daily driver account as a limited user and only elevate when you overtly need it."
  • "Melatonic: Daily driver as limited user should be the windows default even if it makes use ability more confusing."
  • "EvanAnderson: Having said that, today's attacks are all about the data. It's all about exfil/ransomware/blackmail because there's money to be had there. On an individual home user PC there's no lateral movement or bigger targets to attack."
  • " Leandro: Like I said in the parent post, I should be using Qubes. I'm just lazy."
  • "seb1204: So the mum or grandpa should also use an admin account to execute the file they just downloaded?"
  • "Melatonic: Most malware I've commonly seen on individuals computers (like the grandma example) comes about when they want to install something and use and installer that has it bundled with legit software. Or they visit a site that's a shady copy of a legit one."
  • "zahlman: Malware can still do a lot without "installation". Running as an unprivileged user, it can still do anything to/with the filesystem that the user would be able to do, and will (on most normal setups) be able to make outbound Internet connections without limitation. In short, these kinds of privileges don't protect against data exfiltration, ransomware operating on the user's important data files, simple vandalism...."
  • "cube00: Windows doesn't offer immutable local file versions to protect against ransomware running as a non-privileged user. It doesn't offer any protection if a single application suddenly starts to overwrite huge amounts of data. Instead they choose to try and shove OneDrive down our throats as the only answer to ransomware protection."
  • "ropable: As someone working in infosec for a largish 2000 seat organisation - it's honestly not inaccurate. No matter how much accessible information security training we try to provide and the EDR controls we implement, >95% of our incidents involve an end-user following (sometimes extremely obvious) phishing links."
  • "BLKNSLVR: It's still 'the length of the street' better than having malware installed as root/admin. Malware in userspace is much easier to both detect and remove for the simple fact it cannot embed itself that deeply into the system (barring nation states leveraging zero days, but that's a fee levels above 'regular consumer' advice)."
  • "exiguus: Besides that, it is not necessary to have admin rights to delete and encrypt data or to run and hide software. There are also many ways, besides stealing sessions, to gain admin rights, such as through unpatched software, inappropriate user rights, zero-day exploits, and social engineering."

The "Just" Misinterpretation and Wordplay

A small thread within the discussion involves a humorous misinterpretation of the word "just," leading to a brief tangent about music, desserts, and personal names.

  • "danielschreber: Wikipedia's page on "just intonation" is, oddly, about music."
  • "andybak: OK. You've lost me."
  • "cwmoore: And it is so too that “just deserts” are rarely desserts at all."
  • "Bluestein: ... as is "Just for Men""