Last year a new bill was passed in India, called the ‘Indian agriculture acts of 2020’. Also known as the Farm Bills, these new laws have caused social discontent among farmers, who believe these will harm their livelihoods and make it more difficult to generate revenue. The news laws remove restrictions on how farmers can sell goods and how much they can charge, which has led to thousands of Indian farmers protesting outside of New Delhi since November 2020.
A result of this disconent is a new ransomware called Sarbloh, which according to several security firms (including Malwarebytes, Cyble, and QuickHeal), is being distributed through malicious Word documents. This document contain a political message in support of Indian farmers, and encrypts the files of any computer that opens them. It is still unknown whether the document is sent via a phishing email or through a different method. Michael Gillespie claims that Sarbloh is based on open-source ransomware known as KhalsaCrypt. Unfortunately, there are no known weaknesses.
The full message that appears once users open the document can be seen below:
“YOUR FILES ARE GONE!!!
THEY WILL NOT BE RECOVERABLE UNTIL THE DEMANDS OF THE FARMERS HAVE BEEN MET
WHAT HAPPENED TO THEM?
Using military grade EnCryPtiOn all the files on your system have been made useless.
India, Sikhs have long been the face against the oppression placed upon them.
Each time we have resisted.
Today you come for the very throats of Hindu, Sikh, and Muslim farmers by trying to take their livelihood.
You will not succeed in your sinister ways.
The two-sided sword of the Khalsa is at any moments notice. Tyaar bar tyaar.
Wherever our blood is spilled, the tree of Sikhi uproots from there.
If your intentions for the farmer’s are pure and
you wish to help them, this is not the way.
Halemi Raj, Sikh Raj, was not this way.
If the laws are not repealed. Your fate is no
different to what the Khalsa did to Sirhind.
Waheguru Ji Ka Khalsa, Waheguru Ji Ki Fateh
Khalsa Cyber Fauj”
