Ransomware code in Kaseya attack bypasses systems using Russian, related languages: report

The Russian-linked cyber crime gang associated with carrying out a major ransomware attack against a software company used a code that avoids targeting systems that use Russian and other former Soviet-era languages as a default, according to a new report.

The report published by cybersecurity company Trustwave on Wednesday said that ransomware code used by REvil during the attack against software vendor Kaseya “avoids systems that have default languages from what was the USSR region.”

The default languages listed by the cybersecurity firm include Russian, Ukrainian, Belarusian, Armenian and Arabic.

The analysis was first obtained and reported by NBC News.

NBC said that although those within the cybersecurity field have known this to be a feature in some malware, the report is believed to be the first to explicitly pinpoint the feature as an aspect of the attack.

Ziv Mador, vice president of security research at Trustwave SpiderLabs, told NBC News, “They don’t want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way.”

Cybersecurity experts have reportedly said that cyber criminals in Russia and other former Soviet states have been allowed to commit cyberattacks without punishment from their government as long as the attacks are not targeted domestically.

Though the White House has not yet definitively attributed the ransomware attack, which Trustwave says has affected 1,500 customers, to any particular actor or country, the cybersecurity firm and other experts have associated it with REvil.

On Wednesday, White House press secretary Jen Psaki told reporters on Air Force One that President Biden is considering his options for how to respond to the latest ransomware attack as well as possible other attacks from last week.

“In terms of operational considerations, obviously it is not in our interest to preview those or preview our punches, as I like to say. The president has a range of options should he determine to take action,” Psaki said.

Last month, President Biden met with Russian President Vladimir Putin during a bilateral summit in Geneva, and cybersecurity was one of the top items on the agenda.