Insights > Network Visibility + Security

Playing Russian Roulette with a Russian Keyboard

2021-05-19  |  5 min read 

We have all seen the Colonial Pipeline ransomware attack that created havoc on the east coast of the US play out.  There have been some really insightful articles on this attack, such as this article in SC Magazine by Scott Register, and direct mention by the White House in the executive order to improve cybersecurity.  The ransomware would be better referred to as extortionware, since it steals the data before encryption, thereby allowing the threat actor to leverage the threat of releasing the data should the ransom fail to be paid.  In this case, every minute the pipeline was disabled led to heavy financial loss, and may well have been leverage enough to pay the ransom. Attribution of the attack was confirmed by the FBI to be Darkside with links to Russia, and it has some very interesting differentiators.

The Colonial Pipeline is recovering now.  Confirmation of a suspected ransom payment by Colonial, has been confirmed by Elliptic  by analysing Bitcoin transactions.  In doing so they have been able to identify their specific wallet, which also gives insight into how profitable their ransomware-as-a-service model is, with some $17M hitting Darkside Groups bitcoin wallet since March.  This is just their cut of the service delivered by their “associates” who also take a share.

Credible reports from Recorded Future suggest that US Cyber Command have shutdown Darksides operations, but I have no doubt there will be more that follow in their footsteps.  Attention will no doubt focus on Russian Language Cybercriminal Marketplaces & forums.

Recorded Future Tweet

As well as the obvious motivation of financial profit, analysis of the malware has shown that Darkside appeared to be motivated to prevent their malware affect Russian linked assets. 

One of the main differentiators of this attack is that this family of ransomware checks for the presence of Russian language support.  As we learn more, suggestions have been going wild on social media suggesting that installing or defining keyboard support for one or all of the do-not-install Russian linked languages will prevent the detonation of the code.  Brian Krebs elaborates on the weird trick Russian Hackers Hate.

Whilst it would be cool way to mitigate by installing certain language-specific keyboards, it’s also rather hopeful: rather like crossing the road with your eyes shut, or playing Russian Roulette.  Sure it might work, but given how many variants of malware exist, and given how trivial it would be for the hackers to modify this behaviour, its not a robust approach. Their code could determine Russian affiliation by Russian language OS support, or not at all.  It comes with massive risk if you assume otherwise.

Sure, you have security controls rather than keyboards to protect your network & endpoints – and lots of them most likely.  It’s a common theme.  Even organisations with a very mature security posture often are unaware that their security infrastructure has gaps, or is misconfigured.

Time to go proactive:

Keysight’s Threat Simulator, a Breach and Attack Simulation solution gives customers the ability to emulate such attacks on their live production network.  By targeting our agents on your production network, you are able to measure your ability to block, as well as your ability to alert your SIEM, and all with zero risk.  And if you fall short, the recommendation will guide you along the path of remediation.

ThreatSimulator Darkside Assessment

And all that without a Russian|Ukranian|Kazakh|Turkmen|Tatar|Belarusian keyboard!