Adding a Russian Keyboard to Protect against Ransomware

A lot of Russian malware — the malware that targeted the Colonial Pipeline, for example — won’t install on computers with a Cyrillic keyboard installed. Brian Krebs wonders if this could be a useful defense:

In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country’s borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies.

[…]

DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that mostly have favorable relations with the Kremlin.

[…]

Simply put, countless malware strains will check for the presence of one of these languages on the system, and if they’re detected the malware will exit and fail to install.

[…]

Will installing one of these languages keep your Windows computer safe from all malware? Absolutely not. There is plenty of malware that doesn’t care where in the world you are. And there is no substitute for adopting a defense-in-depth posture, and avoiding risky behaviors online.

But is there really a downside to taking this simple, free, prophylactic approach? None that I can see, other than perhaps a sinking feeling of capitulation. The worst that could happen is that you accidentally toggle the language settings and all your menu options are in Russian.

EDITED TO ADD (6/14): According to some, this doesn’t work.

Posted on May 18, 2021 at 10:31 AM35 Comments

Comments

JonKnowsNothing May 18, 2021 10:59 AM

@All

Once I was fooling around with other language options (French Spanish English(varieties)) and decided to look at Russian.

If you don’t speak Russian and you don’t know Cyrillic Letters, I can tell you that everything flips. It was rather funny until I realized the alpha-sort and menus also flipped.

Undo is not where you think it is…

John Doe May 18, 2021 11:02 AM

As soon as this “tactic” is used by more and more people, it will be used by less and less crooks, thus giving a false sense of security.

Given that right now everything is connected to the Internet, the next logical step would be IP geolocalization. True, it is not fail-proof, but will be more reliable after everyone installing russian locales.

ABC May 18, 2021 11:25 AM

“The modern Russian alphabet consists of 33 letters” according to Wikipedia, but I have only 31.

Й Ц У К Е Н Г Ш Щ З Х
Ф Ы В А П Р О Л Д Ж Э
Я Ч С М И Т Ь Б Ю

“Ё” and “Ъ” are missing, and have to be typed with a “long press” on the “Е” and “Ь” keys.

It’s like Greek to me. Certain Russian letters, e.g., П and Р look and sound like Greek Pi and Rho.

oneofthose May 18, 2021 12:01 PM

@ABC

I studied Russian and German many years ago.

“‘Ё’ and ‘Ъ’ are missing”

In current printed Russian, one only sees the former in schoolbooks. One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’).

One of the (many) ways Russians can tell if someone isn’t a native is how they pronounce ‘E.’ Another other big way is via the pronunciation rule that when ‘o’ is not under the stress, it is pronounced as ‘a.’ Shostakovich and Lukashenko are actually pronounced Shastakovich and Lukashyenka (RFERL names the latter Lukashenka). Gorbachev and Chernobyl are butchered by all non-Russian speakers.

It amazes me that announcers on classical music stations almost always pronounce English, French, and Italian words correctly — German is usually, but not always — but Russian words are butchered.

“It’s like Greek to me.”

That’s because the letters were borrowed from Greek. It’s called the Cyrillic alphabet even though St. Cyril, along with St. Methodius, created v.1 many centuries ago.

oneofthose May 18, 2021 12:18 PM

I wrote: “It amazes me that announcers on classical music stations”

Correct that to: “It amazes me that announcers on classical music stations in the US.” German classical music station announcers, e.g., on Radio Swiss Classic, exhibit perfect pronunciation of all words, temporarily leaving their German accent behind.

ABC May 18, 2021 12:27 PM

One learns as a child when ‘E’ is to be pronounced “ye” (the default) and when it is to be pronounced “yo” (for ‘Ё’).

For instance look up a Russian word in “wiktionary” say, “закон“, but then it is spelled with an accent mark to indicate primary stress: зако́н.

But “О́” is clearly not a distinct letter from “О” and the ‘dictionary pronunciation’ stress mark is not commonly printed in prose … and on the other hand you’re saying that the letter ‘Ё’ is an archaic or instructional variant of ‘E’ only, even though it is officially one of the 33 letters of the Russian alphabet.

And then the Ukrainians have a slightly different version of the Cyrillic alphabet.

Anders May 18, 2021 12:33 PM

@Vesselin Bontchev

Here i’m with you. People who don’t understand
Russia generate sometimes utmost idiotic writings…

Stuart Lynne May 18, 2021 1:48 PM

Making the assumption that enough people do this to make the RansomWare gangs stopping using it might lead to them making mistakes and accidentally infecting organizations that are in Russia.

Russian XAKEP May 18, 2021 2:07 PM

Dorogoi Braian!

Physical keyboard with Cyrillic layout helps more against us! Just buy a new keyboard with Russian characters on the keys, throw away old keyboard, connect the new one to your computer and you are protected against us. No need to change anything in Windows.

from Russia with love.

Clive Robinson May 18, 2021 2:10 PM

@ Brice, ALL,

Brian Krebs wonders if this could be a useful defense

Some of us are old enough to renember the Mac -v- Windows debate, with fanbois saying Macs must be so much mote secure than Windows becaise they did not get attacked.

It was pretentious nonsense, the real reason was that Macs did not have the ROI attackers got from Windows simply because one attack developed for Windows got you ten times as many machines.

As Macs became more predominant the calculus of the ROI changed and for a short while Macs were actually easier to attack than Windows PC’s.

So ask yourself a question,

How long do you think it would take Russian speaking malware writers to change to use a different differentiator? Half an hour,
Maybe three hours…

So if people start using Cyrillic Keyboards it will work untill the attackers see a drop in their success rate…

So if a fraction of users do it them the ransomware people will not have reason to stop using a very easy indicator. If more use it then the ransomware people will switch to using a different method of “Keeping Putin Happy”.

It realy is that simple, at the moment the realy poor security of all commetcial OS’s and Applications has made a very target rich environment. Rusian being dirt poor, and the way it’s laws and current politics work is why the Cyrillic detection is there.

Change any one thing even a little bit and the ROI calculus will change.

Mansour May 18, 2021 2:10 PM

There’s one downside. The Ads on the Internet also read your keyboard language and out of a sudden you’ll see Ads in Russian. That bugs me personally.

oneofthose May 18, 2021 2:47 PM

@ABC

I would include dictionaries in the category of schoolbooks.

Look at Russian newspapers. You will never see accents or umlauts (I don’t remember any more if that’s the same word Russians use for the squiglies above certain letters). People learn at an early age where the accents of words are. Also, there’s a somewhat consistent logic to how words are pronounced which one acquires through practice.

And yes, Ukrainian (and Belarussian and the other Slavic languages) have different rules, sometimes very different rules. Not to mention that Russian has changed over the years (read Russian revolutionary posters from the first twenty years of the 20th Century for examples). I remember a Russian woman joking, while we listened to Polish and then an English translation, about how a Russian word would pop out every ten words or so, revealing just how much Polish has diverged.

MarkH May 18, 2021 3:28 PM

@oneofthose:

The pronunciation of Е (in modern Russian) is a little more complicated than that … it varies with stress and the rhythm of the word. By schoolbook pronunciation rules, people should say Петербург (the city) rather like pyetyerburk … but I’ve never heard that from a native Russian speaker. The usual pronunciation is between petyerburk and peetyerburk (more nearly the latter).

According to the general rule that most rules have exceptions, Ё is not absolutely limited to schoolbooks and dictionaries. I remember a street advertisement with the spelling ВСЁ (vsyo) meaning “all” when applied to things, to differentiate it from ВСЕ (vsye) meaning “all” when applied to people. [Normally they’re spelled alike and which word is represented is inferred from context.]

“Lukashenka” is actually the standard transliteration of the dictator’s name in the Belarusian language (a close cousin to Ukrainian). “Lukashenko” is the Russian language version of his name; Belarusian and Russian are both national languages of Belarus.

SpaceLifeForm May 18, 2021 4:52 PM

Last I checked, keyboard layout has no relation to ip address block.

Just saying.

Anders May 18, 2021 6:35 PM

@ALL

Just one fun fact. Russian alphabet is the only one
in the world, where consequent characters construct
meaningful sentence.

где ёж? – where is the hedgehog?

Clive Robinson May 18, 2021 7:14 PM

Anders,

Just one fun fact. Russian alphabet is the only one
in the world, where consequent characters construct
meaningful sentence.

Err not quite true, define “meaningful”?

In english,

“I Jay Kay”

Makes sense and people do genuinely leave “am” out of sentences these days. Believe it or not english is dynamic, lazy and in a continual state of flux. So whilst it was probably not meqningfull when you and I were in school I suspect it probably is now…

Erdem Memisyazici May 18, 2021 8:21 PM

It’s always interesting to see hackers implement kill switches into their software.

Anders May 18, 2021 8:42 PM

@Clive

I’m talking about meaningful words/sentences here as we read it.
Literally.
I’m not talking about pronouncement.
What word/sentence is IJK?

JPA May 18, 2021 10:00 PM

Please correct me if I am wrong, but my conclusion is that this advice is worse than useless.

My reasoning is that it could lead people to have a false sense of protection and thereby cause them to neglect other methods for keeping their systems secure or making backups consistently.

MarkH May 19, 2021 1:40 AM

@Clive:

Anders cited a written composition of letters to form words (and dictionary words at that, no proper nouns), not the sounds of letter names.

Whether that sequence in Cyrillic is really the global record, I don’t know.

Two factoids about the language, which might interest you:

1) It has 10 single-letter words, perhaps giving it a distinctive personality for old-fashioned cryptanalysis. I speculate that there may be no language with a greater number.

2) I read in a textbook that the maximal syllable of Russian consists of 4 consonant sounds, a vowel, and 4 more consonant sounds, though I’ve found no example of this.

Anyway, it’s far easier than Navajo.

ATN May 19, 2021 3:19 AM

If I correctly remember, a keyboard do not “publish” in any way what is its key mapping, you cannot “ask” a keyboard if it is a Russian one. Another consequence of “build them cheap, then reduce their price”.
So you just have to add “support Russian keyboard” to the operating system, that is software-only config.

Clive Robinson May 19, 2021 3:27 AM

@ JPA,

My reasoning is that it could lead people to have a false sense of protection…

It’s a bit worse than that.

The “protection” such as it is, is due to “enemy action” not something either the defender has control over or occurs via independent or uncontrollable events or circumstances.

If the aim of the attackers/enemy is not to upset “the political apple cart at home” with a political leader they have reason to be scared of upsetting[1], then they have many ways available to them to do so, so can easily switch to another at very short notice.

So as a defender it would be like trying to play “Wack-o-Mole” in the dark with a blindfold on…

There is an old joke about the odds of success[2] in such endevors, which tells you it’s not a very wise course of action.

[1] History has many examples of people being a “freelance” enemy. The one many will know of is Privateers who were essentially Pirates, but operating under “letters of Marque”. Thus by a mixture of letting their Monarch have a piece of the action and nationalism, they were considered “honorable Gentlemen” rather than “dispicable murders”… Whilst there was profit to be made, there was a downside, politics is fluid and in the days of sail a ship and it’s company could be out of contact untill they returned to a home port upto a year or more after they left. Which ment that a political change could make their letters worthless without them knowing, thus become treated as pirates fot only for the worst of punishments by all, including their home country.

[2] A man gets captured by the enemy and dragged before the leader, who tells him they are going to play a game and he has to roll a dice, and If he rolls low he dies. The man asks what happens if he rolls high, the leader tells him “you get to roll again”…

Bowser May 19, 2021 6:18 AM

Two factoids about the language, which might interest you

Factoids are defined as either an invented or assumed statement presented as a fact, or a true but brief or trivial item of news or information. Which one was it?

Yevgeniy Bekhtold May 19, 2021 10:33 AM

It NOT works. I have russian keyboard with russian letters (with “yo”) and Cyrillic keyboard in Windows.
Use virustotal.com, good antivirus and brain, it works.

oneofthose May 19, 2021 11:56 AM

@MarkH

1st paragraph: you are correct, but I already thought I was giving too much detail.

2nd paragraph: a street ad with ‘Ё’? I never saw that, but I believe you. Interesting.

3rd paragraph: I’d say “Lukashenka” is both transliterated Belarussian and Russian, but I’m splitting unimportant hairs. As for “Belarusian and Russian are both national languages of Belarus,” that’s not really accurate. Before the protests, Lukashenka did his best to prohibit the Belarussian language. He banned the teaching of Belarussian in schools, as per RFERL, something that Belarussians find rather annoying, similar to how Japan tried to eliminate the Korean language after it annexed Korea in 1910. Lukashenka backtracked a bit, but not to where things should be.

A related story is what happened in Ukraine just before the Euromaidan revolution. A cop in the east, the Russian part now controlled by Moscow, was asked by a Ukrainian to speak Ukrainian, not Russian. His response was that Ukrainian was “the cow’s language,” displaying the haughty attitude many Russians exhibit toward non-Russians in the former Soviet Union.

MarkH May 19, 2021 3:56 PM

@oneofthose:

The Wikipedia page for Lukashenka shows the Belarusian and Russian versions of his name at its start.

Also in Wikipedia, the Belarusian language page gives an account (how faithful, I cannot judge) of discrimination against the language and its speakers during the tyrant’s long reign; it doesn’t say much about his role.

I’ve found Radio Free Europe / Radio Liberty (RFERL) to be a first-class source of news about the former Soviet Union. Considering that Belarusian is named as the national language in the 1994 version, and the first of two national languages in the 1996 revision, I suppose that RFERL is following exemplary journalistic standards in giving the Belarusian version of his name.

Jim May 19, 2021 4:32 PM

Since the advice mentioned at Krebs is intended for Windows users’ systems:

Folks should be advised that many of the Microsoft KB advisories for patches or updates mentioned that they will need to be re-installed if additional languages are added. For years many patch advisory documents contained the warning:

“Important If you install a language pack after you install this update, you must reinstall this update.”

So BEWARE that rushing off and adding a language to your Windows systems might have unintended consequences with regards to patches and updates. I’m not sure if security could be compromised, or it will be odd languaged / localization functional issues.

allen May 19, 2021 7:33 PM

Is doing this in Windows a significant security improvement? Probably not.

Does it have an above-zero chance of (helpfully) preventing a virus from running on the system? Yes, there is clear evidence this type of kill switch is built into many versions of malware.

Does doing this have any negative side effects on a systems security? Probably not, although it is valid to expect people who dont have a technical understanding, may be lead into a false sense of security. But that is true of any security system.

(Setting the registry keys is not the same thing as actually installing a Windows Language Pack BTW and would not impact Win Updates…)

However if you look at this as yet-another layer in your security onion (aka a Defense-in-depth strategy with many other layers with it), the facts are that this takes such little effort to implement, almost certainly results in at least some amount of extra security, and there is little or no downside to setting those two specific registry keys…

I wouldn’t jump out of my chair to implement this on all systems, and this does not at all replace any other standard security measures that should be in use, but its a completely valid idea for those who want to do it.

MarkH May 20, 2021 12:52 AM

The dangers of distracted commenting … my 1994 and 1996 references are to the Belarus constitution.

@Bowser:

You caught me out. I should have written “factoidoids” meaning assertions which have the form or appearance of factoids, but are not necessarily factoids in fact.

Alex Bodryk May 20, 2021 1:54 AM

We entered the era when we have to please cybercriminals to avoid loss. Did we surrendered?

Most of ransomware cases has RDP bruteforce attack vector which is prevented by common sense and discipline. It looks like IT world does not have discipline any more. It’s pity.

Clive Robinson May 20, 2021 3:53 AM

@ Alex Bodryk,

Most of ransomware cases has RDP bruteforce attack vector which is prevented by common sense and discipline. It looks like IT world does not have discipline any more. It’s pity.

Well which is the number one attack vector at any given time is difficult to quantify and things remain both fluid and volatile. But yes the revelation of available attacks on RDP certainly made it popular in the forst half of last year. But then Email attacks still remained very popular and rising as well[1]. With other attacks beong developed.

The point is RDP will stop being in the top attacks when the ROI for the attackers changes, and something else easy/convenient for their aims and objectives comes along.

Thus trying to fix each instance of the myriad of Ransomware attack vectors, is a game of Whack-o-Mole that can not be won by the defenders with the resources they are prepared to commit.

And that game is not going to stop any time soon.

Some blaim crypto-currencies in the same way you blaim RDP, acting against them will not stop ransomware, the attackers will just change tactics and carry on. They will evolve more quickly than defenders or the authorities can stop them.

That is both the actual attack vectors and payment systems used are irrelevant to the ransomware attackers core activities which were,

1, Locate data.
2, Lockup data.
3, Selectively release data.

The important point to note is the move from “ransom” to “blackmail”.

This suggests one or both of,

A, The number of attackers is growing.
B, People had started to respond correctly to the “data lockup” threat.

Whilst “backup solutions” can and frequently do work against amature ransomware attackers[2] the fact that “blackmail” has now entered the game shows that it is not sufficient in of it’s self.

Thus the actual problem is the generalised case of,

“Keeping the rat away from the cheese.”

Withvthe sub problem of stopping exfiltration of data.

I can go on to describe how to deal with these issues, but it’s fairly pointless because in by far the majority of cases senior managment do not want to consider giving the resources to do it or think that the short term risk is more profitable than longer term security.

[1] This ZDnet article from about nine months ago gives the state of play back in the first half of last year so is as far as on the ground attacks is concerned about a year out of date,

https://www.zdnet.com/article/top-exploits-used-by-ransomware-gangs-are-vpn-bugs-but-rdp-still-reigns-supreme/

[2] As I’ve pointed out over several years if you want a ransomware attack to work you also have to lock-up the backup systems as well as the data which moves into APT territory something non Level III attackers tend to avoid in part on the “turnover” business logic. APT is something most ransomware attackers have not yet progressed to but it’s a logical progression as they sort out “payment systems” which the likes of bitcoin just can not compete with, but drug dealers and other Serious Crime practitioners have.

Tatütata May 21, 2021 8:31 AM

There is at least one downside. If you have multiple keyboard layouts, Windows will rotate between them with the poorly chosen default key combination LEFT-CTRL+SHIFT, which is frequently inadvertently entered during normal use. The US-international (an oxymoron!) layout fulfills most of my needs [I can program and comment in several languages], but I have a couple more layouts I can’t get rid of for various reasons, and these keep popping up.

The installed system locales will also show up in the Accept-Language headers produced by at least some browsers, increasing the opportunities for fingerprinting users.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.