Many ransomware strains will abort if they detect a Russian keyboard installed (2021)

Original Article ↗ Hacker News Discussion ↗

Russian-keyboard checks & legal context

  • Commenters generally believe many ransomware families still avoid systems with Russian (and other CIS) keyboard layouts, despite publicity.
  • Motive is seen as legal/safety: Russian-speaking gangs are tolerated while attacking foreigners, but risk serious trouble if they hit domestic targets.
  • The keyboard layout is a cheap “fail-fast” heuristic that works offline and is harder to spoof than IP geolocation or time zone; typical implementations just read installed layouts from the registry.
  • Some note earlier ransomware also excluded Ukraine and other ex‑USSR locales; others wonder if geopolitical shifts (e.g., Ukraine, Syria) changed those lists, but this remains unclear.

Why this heuristic vs others

  • Alternatives discussed: OS UI language, locale, browser history, time zone, IP geolocation. Each has drawbacks (bilingual UIs, VPNs, dynamic IP ranges).
  • Keyboard layout is viewed as simple, stable, and broad; it captures many Russian speakers who keep UIs in English.
  • A few suggest next steps in the “cat and mouse” would be checking which layout is actively used or combining multiple signals.

Sandbox/VM evasion tricks

  • Separately from the “Russian keyboard” trick, many malware strains detect virtual machines or sandboxes (e.g., VirtualBox strings, low core count, small disks, debuggers) and abort.
  • Some propose making a real machine look like a sandbox or installing tools like Ghidra to scare off malware; others argue this is brittle and less useful than hardening and monitoring.

Windows security practices & limits

  • Strong support for running daily activities as a non‑admin user with separate admin credentials, especially in corporate environments, to limit lateral movement and credential theft.
  • Counterpoint: modern ransomware often runs fine as a regular user, encrypting all accessible data and persisting in user space; non‑admin status doesn’t prevent exfiltration.
  • Defense-in-depth suggestions include: frequent offline/backed‑up snapshots, application whitelisting, sandboxing (e.g., firejail), and OS‑level compartmentalization (e.g., Qubes OS).

OS choice debates

  • Some advocate “just use Linux” for reduced targeting and repository‑based software distribution; critics reply that Linux’s core security model isn’t magic and user data remains vulnerable.
  • Usability tradeoffs and gaming/anticheat support are major reasons many still keep Windows; others prefer macOS or multiple machines/VMs for compartmentalization.

Attribution & false flags

  • One thread questions how confidently attacks can be attributed to “Russians” given that TTPs and code can be copied.
  • Participants acknowledge that mimicking known groups is straightforward, so technical indicators alone can be misleading without broader context.