There are lots of malware families. Russian hackers, scammers, and such are basically celebrated in Russia for attacking the west. But they get in big trouble if they screw anything up inside Russia. Hence, the "safety mechanism" here.

Yes, but this is a specific safety mechanism, why this is over others?

It's simple for the malware to check. For instance, you don't want to hit a Russian oligarch's laptop w/ ransomware just because his GPS says he is in another country. You don't want to trust the outbound ip because they might be on a VPN, etc. This is more broad and simple and easy. Can you think of a better way?

You could check what language the operating is set to, or the browser bookmarks /history to name a couple.

Checking installed keyboards is somewhat obscure and sounds like something someone cleverly came up with and I'm interested in how is sprea

Language wouldn't work, many bilingual people prefer to have their UI language set to English even if it's not their native language.

convergent evolution

If you look at how it's compiled you can tell if it's using the same code, or if they converged to use similar strategies.

I read that only a few parties create ransomware, and they then charge a subscription to the end hackers to us it.