When a new ransomware variant reveals itself, there's an intense effort put towards reverse engineering the malicious software ("malware"). As I've discussed previously, reverse engineering is the process of analyzing software to determine its capabilities, how it works, and the design decisions that went into its creation. This process allows for quick identification of "indicators of compromise", unique changes made to the infected system by the malicious software. These indicators can be used to detect the presence of ransomware on systems, ideally before it has a negative impact on your network.
Insights from Reverse Engineering
Beyond detection and response, though, we can use the reverse engineering process to gain insight into the operational concerns of ransomware developers and operators. For example, what does a ransomware criminal see as their primary threat? What are they afraid of?
Your first thoughts probably go to the organizations that investigate cybercrime. On the front line, there are firms such as HORNE Cyber that look at new infections, help the targets recover and respond, and gather evidence about the compromise. Anti-virus companies also analyze ransomware to deploy wide-spread detection, hindering ransomware operators' operations. Ultimately, government agencies such as the FBI gather evidence for investigations, indictments, and prosecution. Reverse engineering the code of ransomware, however, reveals that the primary threat of ransomware operators is not the FBI, U.S. prosecutors, or any private firm (at least, not in the U.S.).
There is an old proverb: "It is an ill bird that fouls its own nest." You are likely more familiar with a more modern and explicit version of this saying, dear reader. By reverse engineering the code of ransomware, we get a view of what the operation is trying to avoid, and therefore, where the "nest" is based.
GandCrab and Location Detection
In the case of the "GandCrab" ransomware that I have been recently examining, it's clear that the operators' first and primary concern is a fear of all things Russian. Before the ransomware does anything else to the target system and before it makes any contact to the operators' command and control servers, it undergoes a rigorous process of detecting where the target system is located. While GPS coordinates for a desktop or server can be difficult to establish, every computer has settings that reveal something about its general location.
First, GandCrab looks at your keyboard. Your system can have multiple keyboard profiles installed, both physically plugged-in and on-screen, that allow you to type characters, letters, and accent marks of various languages. GandCrab cycles through all of them, looking for the presence of a Russian Cyrillic keyboard.
Next, an impressively comprehensive look is taken of language settings for both the user and the system as a whole (which can be set independently). Both language settings are compared against a list of sixteen different regions, including the Russian Federation and just about any closely related country where you might find Russian interests (such as Ukraine, Belarus, and Georgia).
If the ransomware's examination of keyboard and language settings raises even a single red flag, it shifts gears immediately from its original goal of encrypting files and holding them for ransom. Instead, it not only stops executing, but tries to delete itself from the system (on Windows, this requires a very deliberate trick to accomplish). The GandCrab authors clearly have no interest in targeting Russian-speaking organizations. Effectively, "Your rubles are no good here."
Fear and Prosecution
If we think about it for a moment, it becomes clear that, if we were Russian cybercriminals, we would want to exercise this form of due diligence as well. More so than in the United States, many Russian businesses are very closely affiliated with the government and ruling party. The blurred lines between big business and organized crime make it very difficult to identify Russian targets that are safe to attack. If the ransomware were to target a large number of Russian organizations, the probability of one being able to bring the resources of the state (or worse) to bear on investigation, prosecution, and punishment is high. The rest of the world, however, is unlikely to pose much threat. Even positive attribution is unlikely to result in extradition.
In cybersecurity, detail-oriented analysis can give us insight into the threats that face us. The motivations and fears we normally associate with crime may not apply. The reality, determined through the analysis of real attacks and reverse engineering of attackers' code, may reveal some of the motivating factors that shape real attacks against us. If a ransomware criminal is not afraid of your ability to investigate or prosecute, your best countermeasures will be in mature disaster recovery processes, continuous security monitoring, and detail-oriented, offense-oriented testing of the vulnerabilities that give cybercriminals a foothold in your organization.