The ransomware is designed to target entities connected with farmer protests in India, with Khalsa Cyber Fauj reported to be leading this attack
The infection vector is usually in the form of emails, containing a political message supporting the farmer community
India, March 10, 2021: Threat actors have constantly shown keen awareness towards the current events in a country or across the globe, for instance, the on-going farmer protest against the new set of laws, also known as the Farm Bills, in the Indian context. In its endeavor to continuously monitor and analyze the evolving threat environment, Quick Heal Security Labs, the threat research and response division of global cybersecurity firm Quick Heal Technologies, has discovered a new ransomware called Sarbloh, which is being distributed through malicious Word documents containing a political message supporting the farmer community.
Surprisingly, threat actors through this new attack technique are infecting user devices by encrypting their files without asking for a ransom, which is usually the key objective of any ransomware. According to the researchers, the attack is hosted by a group called Khalsa Cyber Fauj, which is using military-grade encryption on system files to turn them useless, conveying a message that no data will be recovered until the demands of the farmers are met. Quick Heal’s users are protected from this new form of attack with the help of its unique and patented signatureless detection technology.
Himanshu Dubey, Director – Quick Heal Security Labs said, “Threat actors have constantly demonstrated innovation through their evolving attack strategies. The latest Sarbloh ransomware that appears to be working in the favor of farmers without any monetary grains is a testimony to their growing attack abilities. At Quick Heal Technologies, we aim to protect our users through our patented signatureless, behavior-based detection technology by combating increasingly sophisticated threats in the cybersecurity ecosystem. Our unique malware detection process leverages code-injection techniques like process hollowing, code-cave attack, etc., to block such attacks. We will continue to analyze the threat environment and deploy safety measures for our users.”
For further technical analysis, please refer to this blog post.
Quick Heal advises users to not download any attachment that comes from unknown emails and messages. Also, do not enable macros in the Doc received mainly from emails. They also suggest people to avoid clicking on unverified links and those found in spam email. Besides, practice backing up the data so that it can be recovered in case of compromise, and keep updating antivirus solutions to stay protected.