"One of these eight-year-old running gags kinda turned into a real recommendation recently: Changing your keyboard layout to Russian," Fabian Wosar wrote in a tweet.
He appeared to be taking a dig at former Washington Post employee Brian Krebs who posted an article on his blog titled "Try This One Weird Trick Russian Hackers Hate" on 17 May US time.
I really hope people aren't taking this 'install Russian keyboard' vaccine seriously. DarkSide, for example, checks for default UI language and not available keyboards. So unless you plan to use Windows in Cyrillic, let's invest in a better strategy.— J. A. Guerrero-Saade (@juanandres_gs) May 18, 2021
Krebs wrote that "virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed – such as Russian or Ukrainian".
"That is mostly due to the fact that some CIS [Commonwealth of Independent States, formerly part of the Soviet Union] countries will not extradite their citizens to foreign countries so TAs think that by avoiding breaking laws in their own country they are safe."
Ransomware TAs will know everything about your company. They will know whether you are a real Russian company or not. After all, company registers are a thing and most likely your company name and website will be plastered all over your network. They'll simply change the config.— Fabian Wosar (@fwosar) May 18, 2021
He said while most ransomware included checks for keyboard layout of default language, most checked the active or default configuration, not some registry key.
Krebs had also quoted Allison Nixon, chief research officer at New York City-based cyber investigations firm Unit221B, as saying: "Installing a Cyrillic keyboard, or changing a specific registry entry to say ‘RU’, and so forth, might be enough to convince malware that you are Russian and off limits. This can technically be used as a ‘vaccine’ against Russian malware.”
But Wosar said unless one actually wanted to use a system in Russian with a Russian keyboard, one would suffer a hit.
"...even if you do that, you will still get hit. Because what nobody tells you is that these checks are often optional and can be disabled with a simple config switch," he explained. "This is true for DarkSide, whose recent popularity sparked the conversation, and many of the others out there.
"Ransomware TAs will know everything about your company. They will know whether you are a real Russian company or not. After all, company registers are a thing and most likely your company name and website will be plastered all over your network. They'll simply change the config.
"So, instead of mass deploying a Russian keyboard layout to all your network, how about rolling out MFA [multi-factor authentication] and making sure your VPN appliances and Internet-facing systems are updated in a timely manner? You know, things that will actually improve your security posture."