In a Twitter discussion on ransomware operations, Brian Krebs suggested that a great many malware (opens in new tab) are programmed to not attack targets based in particular countries, which are usually the ones they operate from.
Based on his analysis, Krebs suggests that malware usually peruses through the list of the installed keyboards in Windows (opens in new tab) in their bid to determine the targeted computer’s country of use.
We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.
>> Click here to start the survey in a new window (opens in new tab)<<
- These are the best endpoint protection tools (opens in new tab)
- Check our list of the best firewall apps and services (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
For instance, the recent DarkSide malware (opens in new tab) that brought down the Colonial Pipeline (opens in new tab) in the US, avoids machines that operate in countries which are the principal members of the Commonwealth of Independent States (CIS).
“Installing a Cyrillic keyboard, or changing a specific registry entry to say ‘RU’, and so forth, might be enough to convince malware that you are Russian and off limits. This can technically be used as a ‘vaccine’ against Russian malware,” Allison Nixon, chief research officer at New York City-based cyber investigations firm Unit221B told Krebs.
Unit221B’s founder Lance James has gone one-step ahead and has shared a simple Windows batch script (opens in new tab), which you can use to make your Windows servers (opens in new tab) default to the Russian language with a simple key-press.
During the discussion, others suggested adding entries to the Windows registry to make the computer advertise itself as a virtual machine (VM) (opens in new tab). The suggestion stems from the fact that several malware have traditionally avoided infecting the ephemeral VMs.
However, James shot down the idea, speaking to Krebs, adding that being a VM doesn’t dissuade malware anymore. “In fact, a lot of the ransomware we’re seeing now is running on VMs,” says James.
In any case, neither of these strategies guarantees that malware will avoid your computer, nor is installing a Cyrillic keyboard a replacement for having robust security software (opens in new tab) and taking regular backups (opens in new tab).
- Protect your devices with these best antivirus software (opens in new tab)
Via KrebsOnSecurity (opens in new tab)