Cyber extortion gangs target only certain parts of the world as part of geopolitical strategy

In early May 2021, Colonial Pipeline, one of the largest private fuel pipelines on the eastern coast of the USA, was attacked by malicious attackers demanding ransomware for decrypting the data which was targeted.  This attacked paralyzed the fuel supply and caused panic among citizens to store the gas supply. 

A ransomware attack is not uncommon nowadays, as a spate of attacks on large corporations has happened recently. The main issue was this attack snowballed into a diplomatic crisis between the US and Russia as the attackers were known to originate from Russia, and the general view was that the Russian government was protecting these cyberattacks. 

The Russian Buffer

One of the notorious hackers from Russia, DarkSide, has been involved in many ransomware attacks, either doing it themselves or selling ransomware hacking tools to others. This is a professional group with a website and help desk and keeps its communication channel open from victims for negotiating ransom money. This group avoids attacking any computer system set in the Russian language, and past track record shows that it does not target erstwhile soviet states or commonwealth countries with friendly relations with Russia. In fact, it has hard-coded countries where it does not install its malware.  For example, countries have been coded, like Russian-419 or Ukranian-422, etc. This coding is done so that whenever malware will target a system, they will check the presence of these codes. If found, they exit and do not install.   

However, this approach is not foolproof as there is no guarantee that these codes or use of the Russian language will safely guard a windows computer safe from Darkside malware.   There is a high possibility of Darkside also connected to REvil, another ransomware attacker which recently attacked JBS, the largest beef producer in the US. This is evident from both groups having kept friendly countries like Syria out of any attack. After the JBS expose of REvil, Darkside announced that it was closing down as its bitcoins and servers were seized, showing the connection between the two groups. 

The covid pandemic has led to cyber attackers becoming active. Most systems became vulnerable due to engineers and systems operating from home with insufficient cybersecurity for their home systems. 

According to cybersecurity firm KrebsOnSecurity, malware originating from Russia simply does not install in a computer that has virtual keyboards installed in the Russian or Ukrainian language. This does not mean that keeping any of these languages in a system will safeguard as malware generally does not care about countries to whom the system belongs. Therefore, it is prudent to adopt the system's in-depth cyber defense and avoid risky online behavior. 

The modus operandi of ransomware attackers is to target large corporations. Earlier it was limited to IT or banking systems where data theft was the main objective.  Going forward, this malicious activity went one step ahead and started targeting retail food supply chains and then the fuel pipeline. They encrypted the data, which is vital for the supply chain logistics of the crucial commodities that led to the breakdown of the system and causing panic everywhere. 

The standoff 

The war of words between Russia and the US escalated. The US accused Russia of acting as a protective haven for hackers by tolerating their activities as long as they were directed outside Russia. USA and allies believe Russia appears to be the base for DarkSide and REvil, the cybercriminal groups linked to recent high-profile ransomware attacks on Colonial Pipeline and U.S. operations of JBS, a Brazil-based company world's largest meat supplier. 

While this sort of attack from non-state actors can be construed as an act of war, attackers quickly made a disclaimer that they are not involved or do not want to indulge in geopolitics. Their main aim was to make money. DarkSide and its other affiliates have barred their associates from installing malicious software on computers in many friendly Eastern European countries, including Ukraine and Russia. This strategy has been there since its inception with the intention to minimize scrutiny and interference from local authorities.

Russian authorities generally do not conduct a cybercrime investigation against one of their hackers unless anyone within the country files an official complaint as a victim. This allows hackers to ensure that no affiliates can produce victims in their own countries and an easy way out for attackers like DarkSide to avoid law agencies in Russia. 

Measures defend against attacks

Anti-virus and security firms feel that adding entries to the Windows registry specify that the system runs as a virtual machine (VM). This can deter malware authors who configure their malware to quit installing if it detects it is running in a virtual environment. Many organizations have already migrated to virtual environments. Even the ransomware we see now is running on VMs.

The other way is adding organizations with a language from the CIS country list or adding a Russian language reference in the specific Windows registry keys that are checked by malware. The script allows a Windows PC to look like it has a Russian keyboard installed without actually downloading the added script libraries from Microsoft.

Changing a specific registry entry to 'RU,' a short form for the Russian language, or installing a Cyrillic keyboard might be sufficient to convince malware that the system is Russian and, therefore, should not be targeted. This can technically be considered a 'vaccine' against Russian malware, though it is not foolproof. Many people are using this method which may protect them in the short term. The choice then is on the hackers, who in the long run will feel the pinch. They have to choose whether they want to risk losing legal protections in Russia or go ahead and risk losing income in case there is a complaint. 

Conclusion 

The uproar on the recent attack led to DarkSide saying that closing down their operations as their only aim was to make money and not cause social upheavals. They also committed to ensuring that their partners in crime check whether any future attack on their targeted organization will have social consequences.  This statement is itself ambiguous as, on the side, they say they are shutting shop. On the other hand, they want their associates to pick and choose targets. This indicates that cyber masterminds like DarkSide will spring up again after some time under a new identity when things cool down.