Some of the most notorious hackers steer clear of attacking organizations in Eastern European countries.
DarkSide, the criminal organization behind the Colonial Pipeline cyberattack, and other high-profile hacking groups bar their partners from installing malicious software on computers using certain languages, according to Krebs on Security, a cybersecurity news site.
This has been going on since the early days of organized cybercrime, and “it is intended to minimize scrutiny and interference from local authorities,” Krebs wrote as part of a post pointing out that certain malware will not install on a Microsoft Windows computer that has a Russian or Ukrainian virtual keyboard installed.
Cybersecurity company Cybereason noted this back in April when it observed DarkSide being used against targets in English-speaking countries and avoiding targets in countries associated with former Soviet bloc nations.
“When the DarkSide ransomware first executes on the infected host, it checks the language on the system…to avoid systems located in the former Soviet bloc countries from being encrypted,” according to a report from Cybereason in April.
There is a do-not-install list that DarkSide uses based on the language of the software on the victim organization’s computer, according to the post by Cybereason.
That includes Russian, Azerbaijani, Uzbek and Ukranian.
The Photon Research Team at Digital Shadows, a cyber risk protection company, said in a note sent to Fox News that Avaddon ransomware includes a ban on targeting Commonwealth of Independent States (CIS) countries.
“Threat actors specializing in many different types of cybercrime observe this rule – it is not limited to ransomware groups. Many Russian-language cybercriminal platforms state explicitly in their rules that members must refrain from targeting victims in this area,” the Photon Research Team said.
Cybercriminals operate much like any other criminal enterprise, according to Inga Goddijn, executive VP at Risk Based Security.
“They prefer to operate from locations with either lax or under-resourced law enforcement or places that are inclined to turn a blind eye to their activities,” Goddijn said. “If the powers that be are willing to allow operations to continue in exchange for a degree of protection for local businesses, it’s not surprising to see attackers making an effort to accommodate that requirement.”