Many ransomware strains will abort if they detect a Russian keyboard installed (2021)

126 comments

·June 29, 2025

ttul

If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game.

Melatonic

Most windows servers are virtualised these days so I'm not sure this would work anymore. It might look at other indicators though

ronsor

Put VirtualBox strings in your firmware :)

tripplyons

Yes, and don't forget to install the VirtualBox guest extensions in your host machine to make it looks even more like a VM!

thrtythreeforty

Is there any downside to unironically doing this? Seems like it'd actually work.

rzzzt

It was mentioned in the other front page article, I guess this is where we got this submission from: https://news.ycombinator.com/item?id=44413185

general1726

Time to install Ghidra on every station

thaumasiotes

> If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game.

What? This is an entirely separate concern. If you have a Russian input method installed, malware will terminate to avoid legal repercussions.

exiguus

There is evidence that this will worked for ransomware like Patya and for groups like Fancy Bear or Cozy Bear and Conti. Mostly because the Russia gov. unofficial guaranties immunity if the target is not Russian. Also, if you identify as Russian or write Russian in the chats or mails to them, they will de-crypt your systems for free.

userbinator

Also, if you identify as Russian or write Russian in the chats or mails to them, they will de-crypt your systems for free.

I wonder how that works in this era of AI translation.

Not quite the same but I remember there was a Russian shareware author who gave free licenses to Russians.

ivan_gammel

> I wonder how that works in this era of AI translation

Simple translation isn’t enough to show cultural proximity. Patterns of speech are different. You can try to use AI to do the entire conversation, but e.g. Claude will refuse to give you exact phrases, since he is correctly assuming it is a social engineering attack.

lelele

Do you mean that one can't use AI to learn a foreign language in its everyday form?

hinkley

The life of a privateer is hard.

atemerev

It's not that simple, I think. There are many Russians everywhere, and probably they work at victim companies too, so just being Russian won't be enough, if ransom could be in the millions. You'll have to convince them that the company is Russian-owned, or that your father works in FSB, or whatever.

I_am_tiberius

I'd be surprised if there isn't malware that targets specifically systems with cyrillic keyboard enabled.

Melatonic

The best anti malware on any version of windows has always been to make your default account you use everyday a non admin account.

You also need to create a separate account (can just be a local account) that is a full administrator. Make sure you use a different password.

Anytime you need to install something or run powershell/CMD as admin it will popup and ask for the separate login of the admin account. This is basically the default of how Linux works (sudo). It's also how any competent professional IT department will run windows.

If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.

Another benefit is that you can use a relatively normal (but obviously not too short) password for your regular account and then have something much more complicated for the admin login. This is especially great on something like "Grandmas PC" or anyone who is at higher risk of clicking on the wrong thing.

zahlman

> If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.

Malware can still do a lot without "installation". Running as an unprivileged user, it can still do anything to/with the filesystem that the user would be able to do, and will (on most normal setups) be able to make outbound Internet connections without limitation. In short, these kinds of privileges don't protect against data exfiltration, ransomware operating on the user's important data files, simple vandalism....

BLKNSLVR

It's still "the length of the street" better than having malware installed as root/admin. Malware in userspace is much easier to both detect and remove for the simple fact it cannot embed itself that deeply into the system (barring nation states leveraging zero days, but that's a fee levels above 'regular consumer' advice).

This method has saved me (my parents) more than a couple of times.

Melatonic

This is true but defense is a multi layered approach and even the built in Microsoft stuff (like Defender AV) have massively improved.

I would argue most malware comes down to uneducated users doing the wrong thing - but that's a whole different can of worms :-)

cube00

> I would argue most malware comes down to uneducated users doing the wrong thing

This feels unnecessarily harsh. Those users are the victims of criminal activity. The protective controls could be a lot better.

Windows doesn't offer immutable local file versions to protect against ransomware running as a non-privileged user. It doesn't offer any protection if a single application suddenly starts to overwrite huge amounts of data.

Instead they choose to try and shove OneDrive down our throats as the only answer to ransomware protection.

mlyle

It's still a big win because it prevents subverting the underlying system. Logs still tell the truth. Security software keeps running. The damage can be inspected with the operating system's tools.

EvanAnderson

> The best anti malware on any version of windows has always been to make your default account you use everyday a non admin account.

In the early 2000s up thru about 2012 I'd agree with you. Post-Vista malware adapted to UAC and now all malware works well as a normal user. Any data your normal user can access (local or on a remote CIFS server) is fair game for ransomware. Limiting administrator rights doesn't do anything to prevent the malware from getting at your data.

Persistence has moved to per-user, non-Administrator, too. Of course, all the various quasi-malicious customized versions of Chrome that end users inevitably install when they go searching for software to end-run their IT departments operates the same way.

I do think your daily driver Windows users shouldn't have administrator rights. It just isn't going to help much with malware.

I use physically separate boxes for my most sensitive activities (banking, mainly) but you could do nearly as well having separate non-admin Windows logons and compartmentalize your access to data you don't want ransomed. Isolation between different user accounts on Windows is actually fairly good. Just limit the common data the accounts can access.

Personally I've always wanted to use Qubes (and stop using physically separate machines) but I haven't taken them time to learn their contrivances.

Edit: I should have said "quasi-malicious customized versions of Chromium", not Chrome.

Melatonic

It will help stop the spread quite a bit however (even if it can access user local data). There's a reason escalation path attacks are still the gold standard (start small and move up).

You can also run something like applocker and whitelist all the apps you use.

Also instead of separate physical boxes why not just use a VM ?

EvanAnderson

> It will help stop the spread quite a bit however (even if it can access user local data).

User's should be running limited user accounts for daily-driver Windows machines.

Having said that, today's attacks are all about the data. It's all about exfil/ransomware/blackmail because there's money to be had there. On an individual home user PC there's no lateral movement or bigger targets to attack.

I hate to invoke xkcd, but it's true: https://xkcd.com/1200/

> You can also run something like applocker and whitelist all the apps you use.

That's a bit overkill for a personal machine and it won't be licensed for AppLocker anyway.

AppLocker is also a gigantic pain-in-the-ass on corporate machines. My experience with configuring AppLocker for anything other than very task-specific computers is that it's a huge and unending ordeal of whitelisting, trying again, whitelisting more, trying again. Wash, rinse, get complaints from end users, repeat.

> Also instead of separate physical boxes why not just use a VM ?

Pragmatism. I have a bunch of extra low-spec laptops laying around. My machines are, for the most part, cast-off Customer garbage. I haven't actually spent money on reasonable machine since about 2015. >smile<

pogue

What are these "quasi-malicious customized versions of Chrome" you're referring to?

EvanAnderson

Edit: I should have said "Chromium", not Chrome. They are repackages of Chromium, usually with functionality to send browsing activity to a third party.

"Wave Browser" is the common one that comes to mind immediately. I have several flagged in the "endpoint security" software I support, though.

The workflow is: (1) User wants some software functionality they don't have, (2) they search-engine using keywords like "convert Word to PDF", (3) they find a program that promises to do the thing they want, (4) they download it and click thru any warnings because they "want the thing", and (5) they end up with persistent per-user malware installed in their "AppData" folder.

Melatonic

Confused by that as well - what version of chrome can be installed without admin?

dfedbeef

Edge? (joking)

noisem4ker

It sounds like you just described what User Account Control (UAC) has been doing since Windows Vista (2006).

EvanAnderson

There are UAC bypasses. Microsoft has repeatedly stated that UAC isn't actually a security boundary. It's better to run a daily driver account as a limited user and only elevate when you overtly need it. (It's even better to use a separate login, as opposed to "Run As...)

Melatonic

Exactly - UAC is like a poor man's Sudo and I never really got the point of it. There is a reason so many people tried to disable it.

Daily driver as limited user should be the windows default even if it makes use ability more confusing.

Lwerewolf

Aren't most UAC bypasses relying on the fact that UAC by default isn't "full sudo"mode - i.e. it allows certain things without prompting?

null

[deleted]

exiguus

Usually, private individuals are not the target of ransomware attacks by organized criminals. Companies often have to pay a lot more money to get their data back. The Petya ransomware is a good example of this.

Nevertheless, when you are on any machine as an intruder and have normal user rights, you can still actively search the machine and network for admin accounts and steal sessions. The ultimate goal is to gain Domain Admin rights.

Besides that, it is not necessary to have admin rights to delete and encrypt data or to run and hide software.

There are also many ways, besides stealing sessions, to gain admin rights, such as through unpatched software, inappropriate user rights, zero-day exploits, and social engineering.

A common way to get users to install malware or ransomware is to bundle it with useful software that the user wants to install.

Aachen

https://xkcd.com/1200/

It feels bad to post a link-only response but I really don't have anything to add to it. On a system used by multiple persons, sure, you help prevent that a compromise on sister's account immediately impacts mom's and dad's accounts, but that qualification isn't in the comment and probably most computers that HN readers use are single user. Or on a server, dropping privileges speaks for itself. But if you're on a desktop and you do online banking in your browser and also open email attachments on that computer... Not being admin would only help clean up the situation without needing to make a live boot (namely, you could theoretically trust the admin user and switch to that) but this isn't recommended practice anyway if you're not a malware specialist and can make sure it is fully gone. I cannot think of any situation where a single user desktop system benefits from admin privilege separation

So basically, what the comic conveys

> The best anti malware

Not being admin doesn't prevent malware from running and gaining persistence within your user account...

Melatonic

Most malware I've commonly seen on individuals computers (like the grandma example) comes about when they want to install something and use and installer that has it bundled with legit software. Or they visit a site that's a shady copy of a legit one.

seb1204

So the mum or grandpa should also use an admin account to execute the file they just downloaded?

eestrada

The best anti malware on any version of windows has always been to not run windows.

fortran77

We're all very impressed that you're such a 1337 h4x0r that you run Arch Linux and not Windo$e.