Since last year, many farmers in India have been protesting in New Delhi in opposition to new bills passed in 2020, which remove some of the restrictions on farmers and how they sell their goods in India. In apparent support of these farmers, a new ransomware has been created and is being distributed through malicious Word document. The delivery method is unknown, but once a victim opens the Word document, it will ask the victim to enable macros to see the full content. On the surface, the document appears to be a flier in support of the farmers. Once the macros are enabled, a document called putty.exe is downloaded using the Windows utility bitsadmin.exe. Once that happens, files on the computer will start being encrypted and having their names appended. After encryption, a “READ ME” file is left behind explaining to the victim that they will not get their files back until the Indian Government repeals their new laws. There is no option to pay a ransom in this case. The ransomware is known as Sarbloh and appears to be named after the Sarbloh Granth, a book of scriptures related to Sikhism.
Analyst Notes
Sarbloh is based on the open-source ransomware known as KhalsaCrypt that has no known weaknesses. Sarbloh however, does not remove shadow volume copies so it may be possible to recover data through shadow volumes. Binary Defense suggests pairing anti-virus solutions with Endpoint Detection and Response (EDR) and a continuous monitoring and response service such as the managed security service that is offered at Binary Defense. This along with other measures like employing phishing training and awareness can give organizations the best chance at defending their data. Having a regular backup schedule and disaster recovery plan are both important for organizations to get back to full operation quickly if an attack occurs. Individuals should also keep their personal computers backed up at home in case of ransomware finding its way onto those machines.
More can be read here: https://www.bleepingcomputer.com/news/security/new-sarbloh-ransomware-supports-indian-farmers-protest/