Ransomware is known for malicious encryption and ransom demands, but a new threat has emerged to take it even further. Recently, ransomware called Sarbloh has been making the rounds not only encrypting data, but also sending support for farmers protesting in India in lieu of a monetary ransom.
In 2020, the Government of India passed new agriculture laws with the goal of modernizing and improving the agriculture industry in mind. However, some Indian farmers are protesting in an attempt to withdraw these laws, as they believe the new system could negatively affect their normal operations and returns.
As per reports from JoeSandbox Cloud, a group of hackers calling themselves Khalsa Cyber Fauj have taken this opportunity to combine their cyber skills and deploy Sarbloh ransomware via an infected Microsoft Word file using a macro command embedded inside it. The initial Word document is distributed using phishing campaigns, and once the victim downloads and opens the document, they're prompted to to "enable content," which will start the execution of the ransomware.
What makes this situation even more concerning is that, as the ransom note states, encrypted files are unrecoverable until the farmers' demands are met. Since protests have been ongoing since November 2020 and there's no end in sight, this doesn't pose much of a positive outlook for organizations affected by Sarbloh. Users are advised not to download any attachments, especially Word documents, unless they're sure about the sender, and if already downloaded, avoid opening it.
The Sarbloh ransomware seems to have been developed using an open source Ransomware as a Service variant called KhalsaCrypt. A weakness in the KhalsaCrypt ransomware was previously identified, and will allow security professionals to retrieve encrypted data using a shadow volume copy service as long as Sarbloh doesn't receive any updates to circumvent this.
Remember, not all ransomware is associated with network or device vulnerabilities, and sometimes it's more than just an exploit. In this case, cyber awareness is your best defense—if you stay vigilant and confirm the legitimacy of attachments in emails before opening them, you're a lot less likely to fall victim to Sarbloh ransomware.