Ransomware code in Kaseya attack bypasses systems using Russian, related languages: report

Ransomware code in Kaseya attack bypasses systems using Russian, related languages: report

The Russian-linked cyber crime gang associated with carrying out a major ransomware attack against a software company used a code that avoids targeting systems that use Russian and other former Soviet-era languages as a default, according to a new report.

The report published by cybersecurity company Trustwave on Wednesday said that ransomware code used by REvil during the attack against software vendor Kaseya “avoids systems that have default languages from what was the USSR region.”

The default languages listed by the cybersecurity firm include Russian, Ukrainian, Belarusian, Armenian and Arabic.


The analysis was first obtained and reported by NBC News.

NBC said that although those within the cybersecurity field have known this to be a feature in some malware, the report is believed to be the first to explicitly pinpoint the feature as an aspect of the attack.

Ziv Mador, vice president of security research at Trustwave SpiderLabs, told NBC News, "They don't want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way."

Cybersecurity experts have reportedly said that cyber criminals in Russia and other former Soviet states have been allowed to commit cyberattacks without punishment from their government as long as the attacks are not targeted domestically.

Though the White House has not yet definitively attributed the ransomware attack, which Trustwave says has affected 1,500 customers, to any particular actor or country, the cybersecurity firm and other experts have associated it with REvil.


On Wednesday, White House press secretary Jen PsakiJen PsakiReporters lodge complaint with White House over Biden-Johnson meeting access White House faces increased cries from allies on Haitian migrants Harris 'deeply troubled' by treatment of Haitian migrants MORE told reporters on Air Force One that President BidenJoe BidenUN meeting with US, France canceled over scheduling issue Schumer moves to break GOP blockade on Biden's State picks GOP Rep. Cawthorn likens vaccine mandates to 'modern-day segregation' MORE is considering his options for how to respond to the latest ransomware attack as well as possible other attacks from last week.

“In terms of operational considerations, obviously it is not in our interest to preview those or preview our punches, as I like to say. The president has a range of options should he determine to take action,” Psaki said.

Last month, President Biden met with Russian President Vladimir PutinVladimir Vladimirovich PutinCourt finds Russia was behind 2006 poisoning of ex-spy in London Google employees criticize removal of Navalny app Third Russian charged in 2018 nerve agent attack on ex-spy in England MORE during a bilateral summit in Geneva, and cybersecurity was one of the top items on the agenda.