It's simple for the malware to check. For instance, you don't want to hit a Russian oligarch's laptop w/ ransomware just because his GPS says he is in another country. You don't want to trust the outbound ip because they might be on a VPN, etc. This is more broad and simple and easy. Can you think of a better way?

You could check what language the operating is set to, or the browser bookmarks /history to name a couple.

Checking installed keyboards is somewhat obscure and sounds like something someone cleverly came up with and I'm interested in how is sprea

Language wouldn't work, many bilingual people prefer to have their UI language set to English even if it's not their native language.

convergent evolution

If you look at how it's compiled you can tell if it's using the same code, or if they converged to use similar strategies.