The latest chapter in the ransomware attacks marks 2021, with the crackdown against Kasia revealing how REWIL criminals are deliberately avoiding harming targets in Russia. According to a report by Trustwave SpiderLabs, the malware is configured so that it does not affect systems that use Russian or related languages as their main language.
“They don’t want to upset local officials, and they know they’ll be able to run their business longer if they do,” Jive Mador, vice president of security research at Trustwave SpiderLabs, told NBC News. Already considered the largest attack of its kind in history, the Kasia system outage has affected hundreds of organizations around the world, and many of them are expected to take weeks to recover.
This is not unique to REvil and has been fairly common for malware originating from Russia or neighboring countries for quite some time. RU authorities usually will not take action against criminals who do not harm systems or companies located in Russia, 1/3 pic.twitter.com/SZTawmlRAD
— MalwareTech (@MalwareTechBlog) July 7, 2021
According to researcher Marcus Hutchins (publicly identified on Twitter as @MalwareTechBlog), this isn’t just behavior by Reville. According to him, it is common for malware codes to check language packs and CIS keyboards and the geographic location of their victims before continuing their operations.
“Unless attackers attempt to influence Russian users or companies, they are unlikely to be arrested,” Hutchins said. “I’m not really sure why the article cites a security company, claiming they were the first to identify it, given that it’s a well-known feature and talking about Revil because ransomware was first discovered,” he comments of the article. of NBC News.
Security agencies in the United States and the United Kingdom accused Russia of funding and harboring groups such as Reville, CozyBear and Darkside (among others) involved in actions affecting various companies and government organizations. The Kremlin often refuses to participate in such cases, claiming that none of them have official links with Moscow.
Source: NBC News, MalwareTechBlog/Twitter
Did you like this article?
Subscribe to your email at Canaltech to receive daily updates with the latest news from the world of technology.