Indian Data security organisation Quick Heal has reportedly discovered a new ransomware called ‘Sarbloh’ , which is being distributed through malicious Word documents. The malware, once activated, contains a political message supporting the ongoing farm protests.
According to the researchers at Quick Heal, the attack is hosted by a cyber group called ‘Khalsa Cyber Fauj’ which is infecting system files and encrypting them. The security lab has also alleged that attackers are using a ‘military-grade encryption’ to plot this attack.
Dr Darshan Pal, President, Krantikari Kisan union, Punjab in a statement told The Quint that the farmers’ movement do not support such methods of support under this protest. “This farmers’ movement is completely peaceful. Some websites are sending threatening messages related to the Kisan movement through software called ‘SARBLOH RANSOMWARE’ which is not related to the Samyukta Kisan Morcha or the farmer organisations of Punjab.”
But, how does this attack work and are you at a risk of being attacked? Here is everything we know.
What Is A Ransomware?
Ransomware as the name suggests is a type of malware that blocks victims from accessing their files unless a ransom is paid.
According to Berkeley Securities, ransomware variants have existed for several years and often attempt to extort money from users by displaying an on-screen alert.
These malwares are a criminal money-making scheme and are installed through deceptive e-mail links, unknown files, messages, or unsafe websites.
What Happened?
Cybersecurity researchers at Quick Heal discovered a ransomware called ‘Sarbloh’ that attacks Microsoft Office documents and hides within the macro elements of the doc files. The hacker group calls itself ‘Khalsa Cyber Fauj’ and there is currently no information available on the existence of this group.
“The malware chain starts with an attacker crafted document file, which contains malicious macro object. Upon execution, the macro object downloads ransomware binary from attacker controlled internet server. The ransomware binary then encrypts files on victim machine and adds extension .sarbloh,” Himanshu Dubey, Director, Quick Heal Security Labs told The Quint.
All the files are then encrypted and ‘.sarbloh’ extension is appended to their file names. For instance. if a file is named ‘pics.jpg’ in your PC, it will be renamed to ‘pics.jpg.sarbloh’.
“At this point, it is not clear how the malicious document is reaching users. Likely, it is being delivered through spam emails, which is the most used delivery mechanism in such attacks,” he added. Dubey also informed that the rate of infection is unknown at this point.
How Is This Attack Linked to Farm Protests?
Usually, victims of ransomware attacks are asked to make monetary transactions and all of these details are given through an on screen notification displayed on the victim’s computer.
Information regarding payment methods, how much the victims have to pay to get their files restored and payment deadlines are also sent through a pop-up notification.
However, the attack by Khalsa Cyber Fauj does not seem to include any contact or payment information but what it demands is repeal of farm laws by the Centre.
“This is an unusual scenario where the attacker does not ask for any monetary ransom but demands justice for the farmer instead,” read a statement on QuickHeal’s blog post.
Here is the full text of the ransom note:
Using military grade EnCryPtiOn all the files on your system have been made useless. India, Sikhs have long been the face against the oppression placed upon them. Each time we have resisted. Today you come for the very throats of Hindu, Sikh, and Muslim farmers by trying to take their livelihood. You will not succeed in your sinister ways. The two-sided sword of the Khalsa is at any moments notice. Tyaar bar tyaar. Wherever our blood is spilled, the tree of Sikhi uproots from there. If your intentions for the farmers are pure and you wish to help them, this is not the way. Halemi Raj, Sikh Raj, was not this way. If the laws are not repealed. Your fate is no different to what the Khalsa did to Sirhind. Waheguru Ji Ka Khalsa, Waheguru Ji Ki Fateh. [sic]
How Can You Stay Safe?
Independent Cyber Security Researcher Rajshekhar Rajaharia has warned PC users to not click on any unknown links. “Don't download anything from any untrusted sources. All of your files can be encrypted. It is recommended to always have files backed up and keep them stored on an unplugged storage device,” he told The Quint.
Meanwhile, Quick Heal has advised its users to not download any attachment that comes from unknown emails and messages.
“Do not enable macros in the doc received mainly from emails. They also suggest people to avoid clicking on unverified links and those found in spam email. Besides, practise backing up the data so that it can be recovered in case of compromise, and keep updating antivirus solutions to stay protected,” said Dubey in a statement.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)