If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game.

There is evidence that this will worked for ransomware like Patya and for groups like Fancy Bear or Cozy Bear and Conti. Mostly because the Russia gov. unofficial guaranties immunity if the target is not Russian. Also, if you identify as Russian or write Russian in the chats or mails to them, they will de-crypt your systems for free.

As a Russian who removed "winlockers" from so many of my not-so-tech-literate schoolmates' computers in the late 00s, I disagree :D

But those weren't as sophisticated, I suppose. They didn't encrypt files. They only displayed an uncloseable window demanding a payment. Sometimes with hilarious phrasing like "thank you for installing this quick access widget for our adult website".

I'd be surprised if there isn't malware that targets specifically systems with cyrillic keyboard enabled.

The best anti malware on any version of windows has always been to make your default account you use everyday a non admin account.

You also need to create a separate account (can just be a local account) that is a full administrator. Make sure you use a different password.

Anytime you need to install something or run powershell/CMD as admin it will popup and ask for the separate login of the admin account. This is basically the default of how Linux works (sudo). It's also how any competent professional IT department will run windows.

If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.

Another benefit is that you can use a relatively normal (but obviously not too short) password for your regular account and then have something much more complicated for the admin login. This is especially great on something like "Grandmas PC" or anyone who is at higher risk of clicking on the wrong thing.

> But is there really a downside to taking this simple, free, prophylactic approach? None that I can see

One that I immediately can think of is increased support costs due to end users unintentionally changing their keyboard. The shortcuts to change keyboards are usually not too hard to accidentally hit, and most users (especially in the US) would be unfamiliar with what they did or how to change it back.

I wonder if this is still actually the case after Brian Krebs announced it to the world in 2021.

As someone using a Russian keyboard, I still got my fair share of viruses back in the day, before I knew the basics of cybersecurity. I wonder how prevalent that actually is in the grand scheme of things, or if it's overblown in the article.

The presence of a Russian keyboard makes it attractive to NSA malware..

2021

Just add those two keys into your registry: https://github.com/Unit221B/Russian For persistance install the russian keyboard driver, and switch back to your original.

The title alone is hilarious because it obviously implies, probably correctly so, that most ransomware comes from Russia.

So woudn't the next step in this cat and mouse game be that they check if the keyboard is actually being used?

If they change it, will they make it to check the time zone as well as the keyboard layout (and possibly others)?

And they'll keep doing it because we don't make an example out of them.

I would find the why more interesting. Is there a common library virtually all ransomware uses? Are virtually all ransomware copy pastes of each other? Is there a popular forum post detailing the trick?

I KNEW keeping a Russian keyboard to type （ ；´Д｀） would have practical uses!

[flagged]

[flagged]

I wonder what DeekSeek agents would do if they discovered at some future time that USA and China are in a kinetic War. Because we don't have the ability to analyze hidden motivations in model weights, it's impossible to predict, although it seems like it would be easy to do at least basic testing (in a sandbox) to seek if it takes any unexpected actions or tries to get data from any unexpected URLs thru agents.

You can't simply ask the AI what it would do in that case, because it will have been trained to deny that it has any harmful plans, and indeed it may not "know", which is a type of attack I've called "Hypnosis Threat Vector". An AI Agent can be trained to be harmful, and not have any way of even self introspecting what it's "Trigger Words" are. The Trigger Words could indeed be some news headline that only China knows how to inject into the news cycle, causing many agents to notice them and then "wake up" to preform what they're "hypnotized" to do.