The ransomware already tries to avoid attacking computers of Russians by checking the keyboard layout of the computer. If it detects a Russian layout, it deletes itself and does not encrypt the computer. However, the ransomware has no provision for those computers who do not use a Russian layout, so some people from former USSR countries who choose not to use that layout can still be affected.
This is a common practice amongst Russian hackers and malware developers, who try to prevent from infecting Russian victims as they are concerned that the authorities will apprehend them, unlike when they are attacking victims from other countries.
This instance was first reported by Twitter user and security researcher Alex Svirid.
Sigrun Ransomware author free decrypt files for users from some countries former USSR (with Russian primary language)— Alex Svirid (@thyrex2002) May 31, 2018
Another malware researcher, S!Ri, replied to the tweet with two pictures from ransomware victims of another attack.
Yup, many are doing that. Guess who is Russian and who is American? pic.twitter.com/1pS6NhPtXN— S!Ri (@siri_urz) May 31, 2018
 |
| Russian victim |
 |
| U.S. victim |
According to the Bleeping Computer, the ransomware author has added the Ukranian layout as well to be avoided during encryption.
"Ukranian users don't use Russian layout because of political reasons. So we decided to help them if they was infected," the author told them via email. "We have already added avoiding Ukrainian layout like was in Sage ransomware before."
They also reportedly said that they are not from former USSR republics, but rather added the condition “because of his Belarus partners”.
Tags:
News
