In the 90s I used to make money off shareware, and every time I release a new version hackers would release "cracks" for the license key. Eventually I figured out that these cracks are coming from Russia.
In the next version of my program, I added a check for system language, and if I detect Russian then I bypass the license key checks, and the program is free to use. This stopped hackers from releasing cracks.
Hah, it reminds me of a shareware program that had two options for registration, one required you to pay some dollars to get a registration code, and the other, labeled as licence for CIS countries (https://en.wikipedia.org/wiki/Commonwealth_of_Independent_St...) simply required you to enter the name of the current day of week in Russian cyrillic alphabet.
I believe it's not related. When the shareware model was popular, a lot of the programs made by developers from exUSSR republics were either free or sold at the significantly lowered price to native speakers, so such tests were common. (I've seen Russian folk riddles as tests, for example). The developers were doing this because they were keenly aware of the economic situation in their home countries, and because the software would have been pirated anyway. So there was less incentive for russian speakers to crack it as it was free for them. It was a completely different time as well, nobody was thinking about legal action.
Not sure why this is downvoted. An exUSSR license was very common in shareware whose authors were themselves from the region. WinRAR and FAR are examples, but there are certainly more.
Maybe because it claims "they are unrelated" and then spends some time describing the relation? That is, between cracking shareware and its language filter to avoid said cracking.
And I think what the comment meant was: the special license was driven more by consideration of the fellow countryman's economic situation than by appeasement of crackers. In reality it was probably a bit of both.
The earliest I've seen this trick was in Far Manager [1], back when it was a commercial software.
Made by Eugene Roshal, the author of RAR format and WinRar, Far Manager distribution included a text file in Russian that explained how a comrade can do a full unlock in 2 easy steps. Don't know if it helped with sales, but I don't think it actually solved the cracking problem, because Roshal ended up open sourcing it despite of it having a very sizeable following.
I used to sell a lot of shareware software, priced around $15. For Russians it was much cheaper: 200 RUR, sent by postal mail transfer to my grandma who still lived in Russia. She got a small stream of income from it (negligible by USA standards), to augment the laughable pension.
What an absolutely awesome idea! Sacrificing a (probably negligible from a western perspective) income stream to help your grandmother and help your countrymen simultaneously. Plus, avoids fees from sending money back to your grandmother; and any dollar that middleman remittance companies don't get is a net positive for the world.
This is some two-steps thinking which is not the default mode for most humans AFAIK.
The "Russians won't pay for this but that means there won't be a crack for the rest" line of thought seems like an easy insight, but it's not IMO.
Yep. People are surprised when I say things like this as a software developer.
I'm paid to create software, not for copies of software. The difference is subtle but very important.
Copyright: literally the right to copy, as if monks haven't been copying books by hand since writing existed - and "Imaginary Property" - a concept invented so they can pretend information is scarce so needs to be owned and hoarded - were invented by lawyers, for the exclusive benefit of lawyers and the people who can afford lawyers, which is to say those already rich in actual scarce resources, as a means to extract value from the working class.
Humans, and future humans are the most valuable potential resource we possess as a species within a universe that is harsh and unforgiving with terrifying real scarcity. And in all my reading, and searching of the heavens and space as far as we can see according to astronomers including the SETI project, there are no gods, and not even any more advanced civilizations to help us. So to me, the idea that we came up with ways to enforce artificial scarcity of information which could save us from eventual extinction is baffling to me. When someone says "we need copyright" I hear "I hate humanity and want it to die". What if copyright turns out to be the Great Filter?
Any law only works if the majority of the population is on board with it. Especially when breaking it doesn't result in any damage. (Lost profits off of potentially selling an imaginary right to a particular sequence of bits aren't damage.) Copyright simply doesn't work because most people either don't care or are actively against it. Marijuana prohibition doesn't work either for the same exact reason.
Now, I would respect copyright, but only if two things change. First, it should last no more than 3 years for creative works and the term should be dependent on the field for patents. Second, it should not be transferable.
> and not even any more advanced civilizations to help us
I think there are other civilizations. The universe is unimaginably immense, it's very much improbable that there aren't other planets with life. And, we can't completely disregard the idea that we aren't the first advanced civilization on earth.
> What if copyright turns out to be the Great Filter?
That's unlikely. My bet would be that there are other intelligent civilizations, they're more advanced than us, and they're watching us waiting for us to discover something before allowing any contact. That could be the origin of life, or the theory of everything, or a free/extremely efficient energy source, or some kind of spaceship engine that would allow faster than light travel, or any number of things really. It might be something social, but probably not copyright — world peace maybe? Or some entirely novel type of economy that benefits everyone instead of making the richest even richer and everyone else miserable?
Sure, and other developers want to get paid for their contributions, so they use copyrights. Pirating those pieces of software is only not theft in the narrow sense of not literally taking an object that can only belong to one person. But it's clearly breaking some sort of agreement of exchange that the creator tried to build into this process, which is some kind of immoral.
That's not to say that every copyright is good or makes sense, but blanket statements like "piracy is not theft" are either so narrowly scoped to be useless ("it's not theft, it's some other unethical action") or ... wrong?
IBExpert (firebird GUI), used to have something like this in cyrilic in Help -> About: "If you can read this, this program is free for use for you. Have a nice day."
I sell open-source hardware and get plenty of sales to Russia and even occasionally China in USD. I think they appreciate the fact I don't charge stupid shipping fees to people in smaller markets.
I have a similar situation, most of my paying customers live in the united States, a few in Europe, and a rare 1 person outside those areas.
I give away free content, so I don't mind if people use the website, but I have no incentive to create topics specific to (third world) users. They have never paid, and from interactions with them, they can't afford their own lives, let alone buying my products for under $10USD.
This reminds me of one weird trick I use to avoid getting foreign language websites served to me while traveling. I remove en-US in my OS and broswers, and replace it with en-CA, as well as the other languages I speak. A lot of websites and software will see en-US and assume it's "just a default" and then try to serve content in a language determined by your IP or geographical region. But en-CA appears to be an explicit preference, so websites will serve English content instead of defaulting to geographic language detection.
This is the digital version of "Flag-jacking" where a traveler pretends to be from another country. In it's offline form it's also usually US citizens pretending to be Canadian.
Unrelated, I once on a trip to the US met a group of motorcyclists on modern bikes and with proper, modern safety gear (at Grand canyon I believe). Having never seen this before in the US (outside sports bikers doing it as much as a clothing statement as for safety) I went over and said hi and said this was the first time I had seen this. "We are Canadians" they laughing replied.
I’m not sure where you’re from in the US but I can tell you many motorcyclists are big into safety gear. Yes it’ll probably be associated with a sports bike because in general people driving hogs are doing that for the statement rather than anything else because the bikes aren’t very good (slow, poor steering, etc). I’ve never known someone on a sports bike to be wearing good safety gear just for the fashion as it’s almost always a worse look.
On my way to Nova Scotia I passed through New Hampshire and rode without my helmet for a number of minutes. It was more fun than driving without a seatbelt which offers no such novelty--which is more like being on a sportbike with sandals.
A doctor once told me that helmets are actually good for organ donation because they protect the brain stem just long enough to harvest the organs. Wearing no helmet at all just wastes perfectly good organs that could have been donated.
I remember when this became a "thing" again after 2003-onward when animosity toward the US was running high. I travelled around Europe, the Middle East, and Africa pretty extensively then, staying in hostels or using Couch Surfing (both hosting and surfing).
Never once ran into a fellow American traveler who flag-jacked, although we all would share jokes about doing so, with a wink and a nod. I saw the occasional Canadian flag on a backpack, but from my interactions they were all convincingly Canadian. More often I saw travelers from the world over with flags from all the places they visited on their bags.
I always suspected those Americans who actually flag-jacked were of the breed that visited Western-European capitals via tour-bus, dressed like they were on safari, and loudly compared everything to how it existed "back in the States".
Big caveat is that OP wants to be treated as en-US and people won't believe him. Maybe the analogy is travelers who say they're from the US (or rural farm area, etc) and the person responds "you? no! really?".
> “Our goal is to make money, and not creating problems for society,” the DarkSide criminals wrote last week
> In a message posted to its victim shaming blog, DarkSide tried to say it was “apolitical” and that it didn’t wish to participate in geopolitics.
Yes but if destabilizing and disrupting a country's computer infra happens as a side-effect, you are still in the game of politics. Being 'apolitical' is paradoxically still being political, since if you are involved with large groups of people, you can't help but be political.
> Imagine being the chief compliance officer at DarkSide. People constantly come to you with crimes, and you are commercial, you are like “sure go ahead do that crime,” but occasionally you have to stop them and say “no the reputational risk of that crime is too great, we can’t do it,” and the sales reps grumble that you are getting in the way of business. Just like at a bank!
My understanding of organized crime in general is that this is more-or-less what it looks like. Sustainable organized crime finds a niche and stays in it. It ends up like any other large, long-lived business; optimized for its niche, vulnerable to niche disruption, and conservative about branching out because of the risk of compromise to its core competencies.
Definitely organize crime is just another business. We have this idea that hackers tend to be loose knit groups of people with more moral objectives. While that may have been true twenty years ago like all criminal markets eventually that stopped being the case.
I don't at all believe it's stopped being the case. The demographics of the hacker community have certainly changed, with a higher degree of polarization between corporate/fed white hats (e.g. people like Mudge) and criminal black hats, but you still have some grey hat vigilantes in the middle like Janit0r, who wrote BrickerBot that went around bricking open IoT devices so that they wouldn't fall prey to Mirai.
We can stop all ransomware by making it too expensive for reasonable people to do business by killing anyone we find creating the software anywhere in the world.
That's what they claim, how would we know it's true? It's the word of the extortionists, there is no reason we should just believe them.
Governments in certain countries obviously tolerate this sort of hacking, if not outright support it. If you wanted to destabilize the US without directly starting a war, wouldn't that be a good way to go about it?
There's a good chance that you're failing to properly intuit their motivations. If it really is an organization that is out to make money, then it wouldn't want to destabilize a country like the US in the first place, any more than a dairy farmer wants to destabilize the health of a cow.
It might happen accidentally, as an unintentional side effect of efforts to extract a greater yield. (e.g, Colonial Pipeline.) But nobody wants to actually wreck the source of their livelihood.
And I don't think we have any reason to infer any other motive. This is certainly well outside my area of expertise, but their pattern of behavior doesn't really say, "state actor," to me.
> their pattern of behavior doesn't really say, "state actor," to me.
This is the fascinating thing about Russian hackers to me. Maybe sometimes political favors change hands, but ultimately they're autonomous, self-funding, self-training, completely deniable assets. IMO Russia's brilliant in how they've managed their offensive hacking assets.
Well, exactly. The gang in question rather publicly issued a mea culpa and said they will be taking steps to make sure that doesn't happen again specifically because they're worried about that. I doubt things would ever progress as far as Afghanistan, but I'm sure they're thinking that their government might not continue to let them do their thing if the specter of international sanctions should arise.
It is, but ... do you really think, China or Russia really want the US to be destabilized even further?
A US falling apart for real, would be bad for Russia as well as China. And vice versa. Because desperate people tend to do desperate actions - not a good thing with so many nukes involved.
So I also think, it is likely that at least some russian hacker groups have direct or indirect links to the FSB, and have to work for them occasionally - but most of them probably have indeed their own pocket as the main motivator.
We don't even need to go that far. A collapsing US would take down most of the world's financial system with it. In a place like Russia, where rich people with global financial holdings call the shots, that's not something they'd likely get behind.
I’m just guessing here but I imagine it’s like how certain groups in South America refrain from kidnapping/violence on large tourist destinations. These groups don’t exist to be evil they exist to make money and bringing the weight of powerful nation states (the US) on you is bad for business.
"In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country’s borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies."
From the article. So I guess it is the same principle.
That may be the current goal. If I'm going to get into organized crime, I'm not going to start by walking into the local FBI building and try and buy off everyone.
You start small, learn, grow, expand, and after you've gained sufficient resources and the power that comes with that, then you get to do more.
> In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country’s borders files an official complaint as a victim.
Coincidence? Maybe at the start of organize technology crime, but not now.
Kaspersky (if you trust them) said this attack could have been a group within the CIA (known as UMBRAGE). My take is why not? With the lack luster response from the current administration and the convenient events that followed, Darkside disbanding, their servers and shitcoin seized, etc, would it be that big of a surprise it was one of our Alphabet Organizations, those same organizations that spy on the American Public.
>“Our goal is to make money, and not creating problems for society,”
I think the issue is people read that then add their own meaning to it, and then react to that instead of what was actually said. What they didn't say that people add of their own volition seems to be "and we're not evil", "and we're not criminals", "and we're the good guys". They didn't say those things. Their goal is to make money. That doesn't mean they think they're doing good in the world or innocent.
And 'apolitical' just means they're not choosing targets for political reasons, not that they're paragons of virtue or anything.
And to be clear, I'm not defending them, just observing the reactions to this. People seem desperate for there to be black and white morality decisions when everything is a shade of grey.
> >“Our goal is to make money, and not creating problems for society,”
> What they didn't say that people add of their own volition seems to be "and we're not evil", "and we're not criminals", "and we're the good guys". They didn't say those things. Their goal is to make money. That doesn't mean they think they're doing good in the world or innocent.
What's funny about their statement is that it's such an obvious lie. They make money by creating problems for society; that's what they demand ransom for, removing the problem they created.
Bit funny how people read all kinds of stuff into their statement, but nobody so far has pointed out this discrepancy in what it actually says.
Perhaps they didn't count on their target's profit motive being so strong that the pipeline owners were willing to cause fuel shortages and panic hoarding because they wouldn't be able to add the dollars and cents while sorting out their response.
Or they didn't understand the degree of consolidation in the industry. Its quite possible they hit the pipeline operators without understanding the level of service outage they would cause.
Antifragility advocates might say the occasional ransomware attack on infrastructure could be a good thing, in the long run, if it promotes a more resilient, less just-in-time based economy. Like Amazon's chaos monkey, but for whole economic sectors.
> It's just a variation of the Normalization of Deviance. See this[1] short talk by Richard Cook for a very good explanation of the mechanism that causes the transition from "robust" to "superfluous".
(Caveat: I know absolutely nothing about this particular situation)
Paying would make sense because if there was a vulnerability uncovered by the initial exploit (that is, account information compromised by the initial phishing attempt) then it is perfectly possible that the restored version will be easily exploitable by the same group.
I remember this being the case back in SQL Slammer days -- you could restore from backup but your backup would be infected within minutes.
Two possibilities: They knew restoring from backups is slow, so they wanted a shortcut. They knew there was data (ie from the day of the attack) not in the backups. Take your pick - or not, I have no idea if the claim is even true.
I'm not 100% on this, but my understanding is that it was worthwhile due to the vast amount of money involved in the oil industry and the projected time to restore from backup.
Both you and this blog seems to be a pedantic unbundling of the choice of word "apolitical".
To me, the most important aspect of this article is that you can make people think you are a Russian hacker signed off by Putin himself by adding these Commonwealth of Independent State checks to your code.
> you can make people think you are a Russian hacker signed off by Putin himself by adding these Commonwealth of Independent State checks to your code.
Reminds me of:
> Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail. I replied: "What's really interesting is that these people will send a tube of live ants to anyone you tell them to." -- https://www.schneier.com/blog/archives/2008/03/the_security_...
It's hard to take this seriously when the author tries to make big points about geopolitics and then claims that Georgia or Ukraine have "favorable relations" with the Kremlin (those countries are literally at war with Russia). Not to mention them not knowing basic facts like Moldova and Romania being in fact 2 separate independent countries.
Having spent considerable time in both Georgia and Ukraine, I can tell you that the news that gets to western media misses out all the nuances of reality. In both countries there are substantial groups of people who want to ally with Russia. The "Russia is invading our country" narrative is only held by some.
I don't think it's missed at all. I think it's pretty well known by most people that the Russians that were moved into Ukraine and Georgia while under the USSR blanket are still loyal to Russia. That's exactly why they were moved there in the first place. The tartars were moved out (of Ukraine) in order to ensure loyalty to the USSR.
He also cites Romania as having a particularly great relationship with Russia, which is neither true (they're in NATO and the EU and mostly West focused) nor relevant (the Romanian keyboard layout wasn't even listed, only the Moldovan variety).
We can choose to assume that he omitted the nuance you're adding (eg for brevity), or that he has no clue. I'd say most evidence points to the latter. Which is sad because I often enjoy his blog a lot.
Yes it does, but it looks to me like Krebs read "Romanian" in the list of keyboard layouts, skimmed over the "(Moldova)" part and assumed that that means Romania and Russia are BFFs.
Which is a shame, but can we really expect everyone to be up on all the various nuances of geopolitics? It's an unfortunate error, but I think an understandable one, and it doesn't undercut the point of the article.
> The "Russia is invading our country" narrative is only held by some.
Mainly those that believe in concepts such as 'borders' and 'sovereignty'
You might personally feel that those residents welcomed foreign troops with open arms, but it's not a narrative that Russian forces crossed Ukraine's border to annex territory that didn't belong to it.
One nuance of reality in the Western world is that the 3 latter agencies have a tendancy to perpetrate crimes & blame the Russians or Sadaam or Ghadafi or the Syrians or White Supremacy or the fall guy du jour.
The "weird trick" or "see something say something" or "kiss the Barney Stone" or "rub Buddha's Belly" or some other simple token action is an effective way to create engagement with a narrative.
Part of the art of "hacking" is social engineering after all.
> Not to mention them not knowing basic facts like Moldova and Romania being in fact 2 separate independent countries.
Maybe this is from a language barrier/confusion? I know that the modern state of Romania comes from a union of the Wallachian/Transylvanian/Moldavian principalities, and modern Moldova originates from part of the historical Moldavian principality which the USSR forced independent Romania to secede (?).
I think the Moldavian would refer to themselves as "Romanians" as a group of people, unless emphasizing the particular government/nationality? I know this is probably a controversial topic, I really don't know much about the modern geopolitical status there, just speculating why the article may conflate Romanian and Moldova.
Oh, you're totally giving the author too much credit to assume they know the history of Romania.
I bet it just stems from a lack of reading comprehension. Moldova has 2 keyboard layouts (Romanian and Russian) according to the screenshot posted in the article, so I presume they just read "Romanian" which vaguely sounded like a country name they sometime read about, and chucked it into the list.
You are absolutely right. The point here is that it's difficult to take the author's geopolitical claims seriously, when he is easily confused by Romania/Moldova duality.
That immediately jumped out at me as well as a basic geopolitical error.
Nonetheless:
- The list of countries is taken from the malware. It is not speculation.
- The fact that a number of major malware strains do not install on machines with Russian and various other Eastern European localisation settings is an objective fact as anyone in the malware field can tell you.
These organisations exist to make money and "the heat" is a detriment to making money. These groups are able to operate with impunity because they take such drastic steps to not anger the local authorities(legitimate and illegitimate). As other commentators have pointed out, these list of countries are likely at the behest of those people, who have various reasons for choosing them. If interested, you can google about a fellow named Paunch if you want to understand the consequences of shitting where you eat as a Russian "cybercriminal".
From a purely money-making perspective, it's a lot more effective to fly under the radar and infect companies far away from them. The ROI simply isn't there for these groups to infect machines closer to home.
That is, of course, until you do something like this, which was clearly and obviously a massive fuck up.
> The fact that a number of major malware strains do not install on machines with Russian and various other Eastern European localisation settings
TBH I'd never think of the countries on that list as Eastern European. With the possible exception of Moldova because it's originally a part of Romania.
That's unfortunate, because he has some good points. I don't think he set out to offend, and ignoring the message due to a factual error is short-sighted.
> But is there really a downside to taking this simple, free, prophylactic approach?
Yes there is: if you're a user who already uses two or more languages, cycling through them with language bar hotkeys, this will add an annoying extra one you don't use.
Maybe just the language (e.g. Ukrainian) can be installed without defining a keyboard, and that will still thwart the ransomware. But already you have no verifiable test case that the trick actually works with the keyboard; that's already being done on faith, so you're adding a wild-assed guess to faith.
I tried those on Windows 7 and after rebooting couldn't log in anymore - it just kept saying my username or password was incorrect.
It took me quite a while to figure out that this was because I had set my keyboard for the logon screen to Cyrillic. I confirmed by overwriting sethc.exe with cmd.exe and enabling high contract - the text I typed in the command prompt window that opened was in Cyrillic. (Not my own trick, but a very useful one for recovering access to Windows without directly editing the registry files!)
That's quite a downside, I would say! Turns out all those Microsoft warnings that say "do not modify the registry unless you know what you are doing" had a point.
That stuff is flaky to begin with. I've seen a recent Windows 10 update bring back an unwanted Canadian keyboard, showing up in the language bar, and part of the Shift-Alt cycle.
I had deleted the keyboard and the Canadian English language, with the system set to to US English. Now this keyboard suddenly came back, with no way in the UI to delete it. I had to first install the Canadian language. Then I was able to remove the keyboard.
Is that how the cycling works? I would hope that, just like with Alt-Tab, pressing the language bar hotkey Windows-Spacebar once will toggle between the current and the most recently used one.
In earlier days of Windows 10, I had an ANSI keyboard for desktop and JP106 for laptop, so I had to have en_US and ja_JP on desktop while laptop had to have en_JP and ja_JP.
Each time Settings syncs it would subtly add missing one to the cycling but would not update the language list, so I had to keep adding and removing the other one from Settings for a while. Later they added toggles to stop syncing keyboards.
Let me give an example to explain what I mean: I would hope that switching keyboard layouts would work the same as switching between windows of open applications with Alt-Tab. That is, open a web browser, then open a text editor, then open a file explorer. I expect that when I press Alt-Tab, it switches from the file explorer to the text editor, and if I then press Alt-Tab again, it switches back to the file explorer. This isn't exactly cycling - instead it's switching between the two most recently used options (keyboard layouts/application windows). Is there a way to make keyboard layout switching work the same way?
It's kind of funny that Krebs doesn't mention the other obvious "one weird trick", which has been around for decades now: do not run your critical systems on Windows.
The reality is that this problem is 90% systemic/organizational and 10% technological. You can definitely run only Linux, make the same mistakes as these Windows shops made, and get destroyed by ransomware.
A lot of this problem is getting the fundamentals wrong (flat network layout/design, no/bad backup strategy, shared credentials across different classes of equipment, and too liberal inter-access). Much of which is wrong for organizational convenience and sometimes cost savings.
I can look at an org without even knowing what OS they run and tell them if they're vulnerable or not, because the assumption you must make is that entry will occur at some point, and then evaluate how or to what extent it can propagate and what the costs/consequences will be.
Ransomware will continue until organizations and their management are held accountable for their own incompetence/apathy/cost-cutting, that let the ransomware cripple the company. If I was on a company board I'd ask for the CEOs job if backups didn't exist or company operations shut down for multiple days/weeks, but that isn't happening.
That malware exists for multiple platforms does not mean that it occurs with similar frequency across platforms. I strongly suspect that, all other things held equal, an org running all Linux would statistically fare better than one running all Windows. Even if that's true it doesn't justify ignoring other measures just because of your OS, but I seriously doubt that it doesn't help.
This is one of those tricks you don't want to publicize if your goal is to increase your own security. Linux being less of an attack vector than Windows has little to do with its inherent security (I wouldn't be surprised if Windows has Linux solidly beat in this department nowadays) than it does with how many and what kinds of computers run Linux.
If a company's Linux boxes mostly run production servers that are generally stateless and/or covered by a comprehensive disaster recovery policy, then there's a good chance that their response to your ransomware attack will be to laugh in your face and push the "recover" button.
On the other hand, there's a decent chance that at least some of the company's Windows computers contain some critical spreadsheet that holds together some essential business process and isn't being regularly backed up.
The thing is, that balance only works as long as there aren't a whole lot of organizations running all Linux. Because, if there were, then you'd start to see more of those critical irreplaceable files living on people's Linux desktops.
It is not obvious to me how to compare the fundamental security of NT and Linux, although I give some credence to the traditional answer that >90% of servers are on Linux (i.e. there's no shortage of valuable targets) so if it were really that easy to attack people would do it. However, even assuming comparable inherent security of the OS, it is trivially true that more malware exists for NT than Linux, so for non-targeted attacks Linux is probably safer. And, of course, if you're worrying about targeted attacks (such that people knowing what you run is a problem), then OS is almost irrelevant because you need to do some serious hardening regardless.
I would actually argue that Linux primarily being a server OS is a big reason why there seem to be so few attacks against the OS itself. It's about the attack vectors.
On Windows, there's typically a human interacting with it. That's a big part of your attack vector; you're trying to get them to download and run a file. Once they do that, it's able to interact directly with the OS. And you've got a lot more incentive to stick around once you get in, because typical users aren't going to notice if the computer's chugging a bit harder due to running a botnet or encrypting the whole hard drive.
On a server, though, everything's probably pretty closed down. And there's generally no human to let you in. So instead of attacking the OS itself, you attack the services running on it. And if you do get into one, there's likely no need to go after the OS from there, because you're already in the memory space of the app, which is where all the goodies lie. And you're also not likely to stick around and waste CPU resources on running a botnet or encrypting the drive, because any halfway competent ops team is going to have monitoring in place, and will notice and investigate the anomalous spike in activity.
Which takes us back to my point: correlation is not causation. Relative compromise rates for the two OSes may well have nothing at all to do with the actual OS. The real thing that's being attacked is the class of computer: viruses want to go after user workstations, not servers.
Serious question: If you are really paranoid about getting hacked, or you're operating in an environment that requires hardcore security, wouldn't your first choice of operating system be OpenBSD?
I have often read about how secure OpenBSD is, but I've also thought that you give up a lot of convenience in using it. I don't think my circumstances would justify switching to OpenBSD.
I think the issue is that if you use linux you are usually smart enough to not get infected, windows users are the majority and thus get hit more. What is the term for this phenomenon? I know I read the wikipedia page for this phenomenon in the last year.
>I think the issue is that if you use linux you are usually smart enough to not get infected
I think that's an extremely poor assumption. How many people on HN run containers with "docker run"? How many of those users actually went and personally audited those containers before doing a docker run vs. just trusting someone else checked first? I can tell you first hand I've seen dozens of customers do a docker run with a public image on a system attached to an internal network without giving it a second thought.
> How many people on HN run containers with "docker run"?
I'd hazard a guess that a far LESS percentage of linux users do so, than Windows users who would open an exe if their browser told them to and fall for other types of ransomware.
I'd hazard a guess that a far LESS percentage of linux users do so, than Windows users who would open an exe if their browser told them to and fall for other types of ransomware.
> I think the issue is that if you use linux you are usually smart enough to not get infected, windows users are the majority and thus get hit more.
It's been a long time since "using linux" meant you're "smart enough to..." Probably around the time corporate IT departments everywhere realized Linux on x86 was cheaper than Solaris and could still get the job done.
For sure, there are dumb linux users and smart windows users. But the percentage is skewed since you generally don't use linux unless you have a minimum amount of skill; especially on desktop there are WAY more non proficient windows users than non proficient linux users + windows is preinstalled on basically every consumer device.
Also on the desktop the prevailing method of malware infection is probably from downloading .exe files from sketchy sites (or email attachments) and running them. Or from websites exploiting browser bugs to do OS-specific things (though I imagine these sorts of vulns are hard to come by these days).
The vast majority of these are going to be Windows executables and Windows-specific things. Your random malicious website is much more likely to target Windows desktop users than Linux desktop users.
Or the actual fix - real tested backups. Stop blaming a reasonable secure OS when almost no competitor is noticeably more secure and only happens to not be hacked much because of obscurity.
It might reduce attacks but no operating system is bulletproof and attackers devote more resources to the operating system with more market share. If all infrastructure running on windows changed to linux, then linux would be the new target.
Linux has an over 90% market share on critical infrastructure like servers and cloud resources which I would consider prime targets for ransomware. Who cares about an infected workstation, reinstall and move on.
This made me think of the bike manufacturer that printed images of flat-screen TVs on the outside of their boxes to reduce damage during shipping. It worked better than actually printing warnings like "Fragile" or "Handle with Care."
Just a more creative solution to a problem instead of a more technical one.
If I ordered a bike from Amazon and got a box like that, I might just figure "oh crap, they sent me the wrong thing" and process a return without even opening it. And then be highly confused when it happened again with the replacement.
If they're clever, it's a picture of a TV with a screengrab of the bike in action. The delivery guy would think "It's a TV". And you, expecting a bike, would think "Hah, weird box art, but that's the bike I ordered indeed"
I hadn't thought about that aspect. I don't believe they sold through Amazon, and I am not sure what the return address would have said, but I assume that wasn't a major issue for them if it was worth the effort.
I don’t know much about how keyboards actually work but wouldn’t the suggestion offered in the article insulate you from this risk:
> But James says he loves the idea of everyone adding a language from the CIS country list so much he’s produced his own clickable two-line Windows batch script that adds a Russian language reference in the specific Windows registry keys that are checked by malware. The script effectively allows one’s Windows PC to look like it has a Russian keyboard installed without actually downloading the added script libraries from Microsoft.
Don't know much about Georgia, but even though Ukraine the leadership is against Russia, they do have part of the country that's favorable (mainly it was Russians that were moved to live in Ukraine during the Soviet era).
> In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country’s borders files an official complaint as a victim.
And why the hell would they do otherwise?
They're being sanctioned to shit by the rest of the world (the US hegemony) who doesn't give the slightest fuck about them.
Criminal gangs from Russia and Ukraine continue to collaborate regardless of today's politics - love knows no borders. Plus there are around 2 million Ukrainians living in Russia.
Since Ukraine has a large Russian-speaking, pro-Russian minority, it's complicated. But the Russian government might still see intervention in Ukraine as sensitive, since there's a war on, and might want tighter control over any attacks used there.
I would’t call it a minority. In reality, Ukrainians that speak Ukrainian as their main language is a minority in Ukraine, but they got in power after just another coup in 2014 and now repressing Russian speaking population.
Just go to google trends and type the same word in Russian and Ukrainian to see what parts of the country really using Ukrainian and what percent of population lives there.
That makes sense, but the article is using the wrong reason , it placed Romania and Ukraine in a list of "Kremlin friends", I just wanted to append to the parent comment to clarify for people that don't know all the eastern European countries and the relations.
Yeah, Georgia being on there was odd too, but lots of bizniz going on with the industries and infrastructure of both.
That said, I've never been a fan of the all-too-frequent approach of armchair Kremlinology as a first and last line of investigation. I'd say it's likely just as much about targetting the attack in a direction where you're unlikely to get blow-back. I would not want to find myself negotiating with a representative of an angry Ukrainian vodka plant.
> They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian
does this ransomware software run on macos or linux?
The URL contains 2021/05, but was this really collected May 2021? Because a 23 bitcoin deposit seems steep for the opportunity to work with them. I would assume black-hat hackers who have this amount of money on hand typically don't need to seek out ransomware groups to rally behind
Why, looking for partners of the same cultural background and specifically excluding another cultural background (presumably correlated with being a CIA agent or whatever?) sound like things criminals would do. The only strange part: why would this be written in English?
I had considered this approach already, and thought it would be better not so publicised, the checks will become more detailed, such as timezone settings, last connected hosts etc. Its a good way to frustrate bad automated bots though so far.
The conclusion is BS. Real reason for filtering Russian and similar computers is "extrajudicial consultants" which are taking care with a problem when stepping on big company in exUSSR.
This is obviously correct, but bear in mind this is coming from Krebs, whose first and only instinct is always to blame the GRU for literally everything.
“Our goal is to make money, and not creating problems for society,”
It's a pretty big problem for society when hospitals, universities, and countless business have been ransomed.
What they really mean is "We're trying to make as much money as possible without doing so much damage that someone with unlimited resources will hunt us down"
Hopefully shutting down a majority of the East Coast's pipeline capacity will be large enough that the US finally uses its deep pockets to do exactly that.
> “Our goal is to make money, and not creating problems for society,”
> It's a pretty big problem for society when hospitals, universities, and countless business have been ransomed.
Well, at least their "ethics" page does state that they will not attack "hospitals, hospices, schools, universities, non-profit organizations, or government agencies".
> The worst that could happen is that you accidentally toggle the language settings and all your menu options are in Russian.
Did the author even try his own trick?.. Switching to Russian keyboard the way he describes will not change the UI language or menu options, it only applies to the text you type.
Russian hackers don’t hate such tricks. But what Russians hate, is when USA starts just another propaganda campaign about ‘Russian hacking’ based on ‘evidence’ that malware was compiled on a PC with Cyrillic symbols or ‘timezone was set to Moscow time’.
> But doing so increases the risk to their personal safety and fortunes by some non-trivial amount, said Allison Nixon, chief research officer at New York City-based cyber investigations firm Unit221B.
Oh really? So do you mean those people are very careful to not toe some governments in extreme fear of them?
No wonder the western countries are taken as fools. They know no one is going to wake up in an "uncomfortable position" by messing with western companies and governments.
Maybe what we need is to take out those checks from the malwares and just resent them where they came from.
American hackers are no less careful to avoid running services or communicating through American datacenters. Everyone knows that Google, Apple, Facebook, Amazon etc. are more than happy to turn over the IP address logs and any unencrypted data whenever law enforcement brings a valid search warrant, and sometimes they'll offer a dragnet of all their data when law enforcement just asks nicely.
The problem is that law enforcement is listening to local victims: Hack Colonial Pipeline and ask them to bring you a bag of cash in the parking lot, and you won't be meeting with their CFO - that guy in a suit is from the FBI. Hack Nord Stream, and you'll make some Russians angry, but they're going to have a hard time bringing that complaint to the FBI.
To make this more sensible, we need a paradigm shift. With a global Internet separating victims and hackers, while national governments only look for domestic victims of domestic perpetrators, you're going to end up with a lot of useless fist-shaking across the borders. I'm not suggesting that the answer is extradition of scapegoats at the whims of foreign powers, either, but our small, modern world has a lot of growing up to do before this makes sense.
Actually a Russian being hacked by an American will find a very interested FBI - who will promptly send all the needed evidence to whoever in the government deals with overseas issues. In turn this will lead to the Americans proposing an exchange of criminals with the Russians. It might or might not happen depending on details, but the proposal will be made.
Note, the above assumes you are not a target of a US military operation. If the US military is hacking you, then don't waste your time with the FBI (but if that is the case you already have access to "other" means to respond)
>"No wonder the western countries are taken as fools. They know no one is going to wake up in an "uncomfortable position" by messing with western companies and governments."
You can definitely get into "uncomfortable position" when messing with western countries. But if hacker resides in Russia there is not much the West can do as Russia does not extradite their citizens. The West in this case has to rely on Russia chasing after them and due to a very "warm and fuzzy" relations lately it is not likely to happen as long as those hackers do not mess with the Russia itself.
Sanctions might have helped but since Russia already sanctioned up to it's gills it probably does not care anymore.
>"More than one Russian hacker was arrested when making vacation in a country that has an extradition treaty with the US."
Being an idiot has a consequences. I have no idea why did those Russian hackers ever assume that they'd be safe when traveling. They've committed crime and were stupid enough to basically ask to get arrested.
Seems to me it would be rather easy to detect a system with 1 Russian keyboard vs a system with a default English keyboard and and secondary Russian keyboard. It will probably take about 10 minutes to adapt to this defense.
As I mentioned in their comment section, re-installing Windows with a Russian keyboard as default and then adding English afterwards might be a good defense, but I doubt many English-speakers could navigate a Windows install in Russian using a US keyboard.
As mentioned in the article, they have to be extremely careful to keep the local authorities off their backs. Thus, they are not really into taking chances in that way. Having Russian language installed at all is so rare in US/UK/etc, they they are unlikely to change this strategy. Finding the real location of systems is very hard to do.
Yeah and it probably wouldn't pay to change it anyway: it would suggest the user is at least slightly security-conscious and probably correlate poorly with profit margins. Like how spammers intentionally use typos to filter out the even semi-bright.
> Seems to me it would be rather easy to detect a system with 1 Russian keyboard vs a system with a default English keyboard and and secondary Russian keyboard. It will probably take about 10 minutes to adapt to this defense.
Modern computing environment is pretty much unusable with just Russian keyboard. You need some way to enter URLs, email addresses, shell commands, etc. Russian keyboard is an addition to English, not a replacement.
Pretty much everyone in Russia uses at least two keyboard layouts - Russian and English. Having the English layout as a default is quite common as well.
Let's not kid ourselves with a false sense of security from the keyboard "trick". The memories of Petya crypter https://en.m.wikipedia.org/wiki/Petya_(malware) are still fresh and supposedly have similar pedigree.
It was readily running (targeting even) on Ukrainian PCs.
This is really fun inside baseball for these groups. Unfortunately, once the cat is out of the bag how long will the "fix" work? Especially if it's being posted on Krebs.
Plenty of other places to check, such as TZ date, or IP geolocation.
Those tricks are dangerous though. The whole goal is to ensure the Russian authorities don't care what you do. Attack someone not in Russia and they don't care, but if you make a mistake and the Russian police will come knocking.
> But is there really a downside to taking this simple, free, prophylactic approach?
Yes, you are continuing to use Windows, and fooling yourself into thinking it is marginally more secure, instead of switching to literally any other OS.
The article sort of implies this is geopolitical (i.e. the hackers are "attacking" certain countries). I kind of doubt that. My guess is they're just afraid (with good reason) of the Russian government.
This. ExUSSR law enforcement isn't bothered about what happens on the other side of the globe: incompatible legal systems, language barrier, bureaucracy etc. However, if DarkSide are in Belarus and attack Russian companies, they can easily be extradited etc. Also there's decades-old solidarity among exUSSR developers like a lot of software has free or cheaper licences for exUSSR citizens due to lower purchasing power
I bet you if this starts to matter the software will start monitoring your usage of each keyboard to make a call (eg no usage of Russian in the past month, this is likely just a prophylactic).
The article sort of implies that Romania is on the list of countries being excluded, but note the chart which says “Romanian (Moldova)” - the Romanian language is indeed spoken there.
I know, and I didn’t even mean to imply that their goal was to destroy lives.
I guess I’m just disheartened by it all, but I will readily acknowledge that I don’t have any real understanding of the economic context that drives people to do this.
Learn the software secrets of Bill Gates and other rich people. Imagine never getting malware again. Others have done this simple trick to stop viruses cold. Now you can, too!
enabling uefi secure boot is another. full disk encryption typically does not work with UEFI , so upgrading t to windows 10 will make you immune to this. WIndows 7 uses legacy settings. Surprised the 'expert' on security would not notice this much better solution.
"...virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian."
I think the major governments of the world have more evidence they are not sharing. Russia is one of the few countries in the world that you can't get a wanted criminal out of makes it very likely they are the ones as otherwise there have been enough high profile attacks that something would have been done.
If Afghanistan was harboring criminals like this the US would invoke NATO and send the military. However Russia is a bit too big for the US to be willing to tangle with.
In this case, it is private criminal enterprises originating in Russia or former soviet satellite state. They're not state sponsored so much as they are state sanctioned as they turn a blind eye to it so long as they don't target any homeland targets.
One person's feature is another person's increase in the exploit surface. An OS with enough features to be the most popular one on the planet may always end up with the most security holes.
I can, anecdotally, name at least one example where cross-platform had a feature that was trivial on Windows, and nearly impossible to implement on MacOSX (until Apple widened the graphics API to make it much easier because they needed the feature for QuickTime)... because it required one process to be able to render into the windows owned by another process. This enabled all kinds of cool features... Including the ability to spoof a dialog box in another app that made it look like it was asking for your credentials, while sending the data to an attacking app.
"Mon May 17 14:51:52 +0000 2021","conversation_id_str":"1394304666175885321","display_text_range":[0,205],"entities":{"user_mentions":[{"id_str":"74286565","name":"Microsoft","screen_name":"Microsoft","indices":[56,66]}],"urls":[],"hashtags":[{"indices":[67,75],"text":"Windows"}],"symbols":[]},"favorite_count":2,"favorited":false,"full_text":"Russian hackers are a diversion from the real problem: @Microsoft #Windows and a 25 year legacy of terrible security holes. DECADES of getting owned by autorun.inf and LANMAN, etc. Whose fault is that ?","is_quote_status":false,"lang":"en","quote_count":0,"reply_count":0,"retweet_count":1,
It is amazing how Microsoft can escape all liability for the problems of "cybersecurity". Perhaps this is what happens when competition has been eliminated (not by superior product quality) and there are no alternatives. Quality control problems with the product must be lived with along with endless diversions/scapegoats.
I sorta wish that these "criminals" would target big corporations, particularly the evil ones like Nestle, and distribute most of the profits to good causes; like distributing free clean water in third-world nations. The real criminals aren't those who take money from companies who have those losses budgeted in their expenses already and are insured against it anyway.
Sure, Hacker McHackface also gets their share of the loot. Good for them. Now go and hack Israel's digital maps so they can no longer send troops/settlers to steal homes from innocent Palestinian families.
Windows IoT Core is a pretty good RTOS, competitive with VxWorks. The NT kernel is good engineering. It’s the Win32 userland baggage that causes all the problems.
That's why I mentioned IoT Core: it is, in fact, Windows without the Win32 userland. As such, it has no shell other than a web interface, and only runs UWP executables.
If you've ever interacted with an Xbox One in dev-kit mode, that's basically the experience of using Windows IoT Core.
I agree that moving off of Windows would be helpful, but I'm not sure that abandoning Windows is a realistic proposition for many companies given how much legacy tech exists.
While I would agree that Windows has had a less-than-stellar security record (as has Unix, for that matter), I don't think an operating system-specific mechanism is at play for enabling ransomware.
The paradigm that all programs run with a set of permissions defined by the identity of executing user is the main fault (i.e. I ran the ransomware and, therefore, the ransomware has access to all files I have access to). That's not unique to Windows.
A capabilities-based permission system would help. I'm not convinced that capabilities will limit the damage to file servers, however. I don't see users or IT admins having the capacity to map out access to shared filesystems on a two dimensional matrix of security principals and applications. Most companies can barely pull it off for just security principals.
If we move away from file servers the new ransomware will move to attacking whatever the next platform is, co-opting whatever "tokens" define the users' and devices' access to applications.
Rate limiting and behavior monitoring are probably our best bets on long-term eradication of ransomware. (That and CoW filesystems becoming the rule, rather than the exception.)
In the next version of my program, I added a check for system language, and if I detect Russian then I bypass the license key checks, and the program is free to use. This stopped hackers from releasing cracks.