The latest chapter of the ransomware attacks marking 2021, the action against Kaseya shows how REvil criminals are intentionally avoiding harming targets in Russia. According to a report by Trustwave SpiderLabs, the malware is configured so that it does not affect systems that use Russian or related languages as their main language.
“They don’t want to upset local authorities, and they know they’ll be able to run their business much longer if they do it that way,” Ziv Mador, vice president of security research at Trustwave SpiderLabs, told NBC News. Already regarded as the biggest attack of its kind in history, the Kaseya systems outage has affected hundreds of organizations around the world, and many of them are expected to take weeks to begin to recover.
This isn’t unique to REvil and has been pretty much the norm for malware originating from Russia or neighboring countries for quite some time. RU authorities typically will not go after criminals who don’t cause damage to systems or companies located within Russia, 1/3 pic.twitter.com/SZTawmlRAD
— MalwareTech (@MalwareTechBlog) July 7, 2021
According to researcher Marcus Hutchins (publicly identified as @MalwareTechBlog on Twitter), this is not a behavior followed by REvil alone. According to him, it is common for malware codes to check language packs and CIS keyboards and the geolocation of their victims before continuing their actions.
“As long as the attackers make an effort not to affect Russian users or companies, they are unlikely to be arrested,” said Hutchins. “I’m not really sure why the article quotes a security company claiming they were the first to identify this, given that this is a well-known feature and talk about REvil since the ransomware was first discovered,” he comments of the article. of NBC News.
Security agencies in the United States and the United Kingdom accuse Russia of funding and providing asylum to groups such as REvil, CozyBear and DarkSide (among others), involved in actions that affect various companies and government organizations. The Kremlin often denies participation in such cases, claiming that none of them have official connections to Moscow.
The post Ransomware attack that affected 20 countries brings code that avoids targets in Russia appeared first on CmaTrends.