Yes, nobody in the west using a compromised russian box for c&c would ever put such code in their ransomware payload. That would obfuscate its origin, and we all know criminals aren't clever enough for that sort of thing.

There can only be one explanation: russian hackers operating with Putin's tacit approval. Us in the west should add this to the mounting pile of "evidence" supporting going into another cold war, because that will surely improve the entire situation. Attributing the unattributable to our preconceived enemies to escalate a conflict always ends well.

Snark aside, on a technical, factual level, this simply isn't evidence of origin, not even a little bit. "russian hackers" is such a tired punchline now that if I, being in the west, were to suddenly jump the fence after 3 decades and choose A Life Of Crime, using russian configuration file names, UTC+3 daytime operating hours, russian-hosted c&c IPs (or, better yet, russia-controlled but plausibly deniable ones like belarus or kazakhstan), and silly stuff like skipping infection of ru-locale machines would be obvious things I would be doing to fuel this existing narrative sailwind. It's utterly silly to think that this in any way suggests origin.

Exactly, people do not understand how trivially easy it is to completely halt US investigations into internet traffic origins just by pivoting off of a box in a country which doesn't hand over its ip logs to the United States. I would imagine that, should you choose to hack a russian target, you would pivot off of an american box (or would the US hand those logs over? I actually think they might even if Russia wouldn't reciprocate).

Russian and a bunch of other CIS countries. It could very well originate from Moldova or Kazakhstan.