Code in huge ransomware attack written to avoid computers that use Russian, says new report

WASHINGTON — The computer code behind the massive ransomware attack by the Russian-speaking hacking ring REvil was written so that the malware avoids systems that primarily use Russian or related languages, according to a new report by a cybersecurity firm.

It's long been known that some malicious software includes this feature, but the report by Trustwave SpiderLabs, obtained exclusively by NBC News, appears to be the first to publicly identify it as an element of the latest attack, which is believed to be the largest ransomware campaign ever.

"They don't want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way," said Ziv Mador, Trustwave SpiderLabs' vice president of security research.

Click here to read the report

The new revelation underscores the extent to which most ransomware originates in Russia and the former Soviet Union, and highlights the challenge facing the Biden administration as it contemplates a possible response.

Biden said Tuesday his administration has not yet determined where the latest attack originated. It does not appear to have had a significant disruptive impact inside the U.S., but it is being called the largest ransomware attack in history by volume, having infected some 1,500 organizations, according to security researchers.

The attack was particularly sophisticated, using a previously unknown software flaw — a "zero day" vulnerability — to infect an IT firm, that then infected other IT firms, that then infected hundreds of customers.

Trustwave said the ransomware "avoids systems that have default languages from what was the USSR region. This includes Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Romanian, Russian Moldova, Syriac, and Syriac Arabic."

In May, cybersecurity expert Brian Krebs noted that ransomware by DarkSide, the Russia-based group that attacked Colonial Pipeline in May, "has a hard-coded do-not-install list of countries," including Russia and former Soviet satellites that mostly have favorable relations with the Kremlin.

Colonial operates the largest fuel pipeline in the U.S. and was forced shut down all operations for days while trying to get back online, resulting in gas shortages across the country.

In general, criminal ransomware groups are allowed to operate with impunity inside Russia and other former Soviet states as long as they focus their attacks on the United States and the West, experts say.

Krebs noted that in some cases, the mere installation of a Russian language virtual keyboard on a computer running Microsoft Windows will cause malware to bypass that machine.

The Biden administration is trying to harness global support to pressure Russia and its neighbors to crack down.