Sarbloh ransomware aims at supporting Indian Farmers’ Protest

The attackers behind Sarbloh ransomware are not looking for money neither do they demand ransom but seek support for Farmers’ Protest in India.
Sarbloh ransomware aims at supporting Indian Farmers' Protest

The attackers behind Sarbloh ransomware are not looking for money neither do they demand ransom but seek support for Farmers’ Protest in India.

Hackers never refrain from using any burning issue of political nature. The Indian government has been facing severe backlash and protests by farmers over the Indian agriculture act of 2020, also called the Farm Bill.

The Indian government attempted to made changes in the country’s agriculture system. This presents threat actors an ideal opportunity to benefit from the political unrest that has been going on for the past 100 days. 

Hackers Exploiting Farmer Protests in India

According to researchers at QuckHeal, a new ransomware strain called Sarbloh has been detected targeting political entities linked to the farmer protests.

SEE: Indian PM Modi’s Twitter handle hacked to ask for Bitcoin donations

Researchers claim that this ransomware campaign is agenda-driven as the ransomware distributors aren’t asking for a ransom payment but are focusing on keeping the targeted systems offline.

How is Sarbloh Delivered?

Sarbloh ransomware strain can encrypt documents, audio, image, databases, videos, and various filetypes and appends them with the .sarbloh extension. The payload is distributed through a macro-ridden document with a heavily obfuscated VBA code, which arrives in email.

Sarbloh ransomware aims at supporting Indian Farmers' Protest
Malicious email

The malware distributors lure the email recipient into opening it by creating content that appears nationalistic. The victims are urged to enable content to view the file. If they do, the macro decodes the URL download runtime and gets Sarbloh installed on the system via an executable file titled putty.exe. 

Payload Hosted on Amazon AWS

It is worth noting that the payload is hosted on Amazon AWS and downloaded from the following URLs.

hxxps://s3.ap-south-1.amazonaws.com/ansvideo.input/transcode_input/profile16146815778005vw0qb.png

hxxp://s3.ap-south-1.amazonaws.com/ansvideo.input/transcode_input/profile16146815778005vw0qb.png

It is downloaded via Background Intelligent Transfer Services (BITS), recently used in various banking trojans-related campaigns. The ransomware executable is present on Borland Delphi. It can enumerate the file system to identify many different file types to encrypt them. The executable uses strong encryption to lock the data, and once it is done, it delivers the ransom note to the victim.

“The ransomware leaks a ransom note “README_SARBLOH.txt” file or displays a lock screen message for demanding ransom. In this case, the ransomware note is associated with the farmer protests in India,” researchers noted

Are Hackers Favoring the Farmers?

Considering the ransom note’s content and the fact that the campaigners aren’t asking for payment to unlock the files, it, according to researchers, becomes apparent that they are supporting the farmers and threatening the political entities associated with the issue by encrypting their files.

Sarbloh ransomware aims at supporting Indian Farmers' Protest
Ransom note

The hackers are demanding them to repeal the legislation as it hurts the farmer’s rights to determine the rates of their produced goods.

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

Total
0
Shares
Related Posts