Khalsa Cyber Fauj Launches Ransomware Attack In Support of Farmers’ Agitation

Indian farmers have been protesting since September 2020, in response to three farm laws passed by India’s Parliament.  Calling the new laws anti-farmers, several farmer unions and leaders have resorted to protest. Blocking of borders and highways and other forms of protest have been seen till now but it has now spread to the cyber world.

Quickheal Security Labs has discovered ransomware known as “SARBLOH RANSOMWARE” that appears to be linked to the farmers’ protest. A malicious document is being distributed in this attack, which downloads ransomware. Other cyber security firms like Malwarebytes and Cyble have also detected the new ransomware known as ‘Sarbloh’. It is being distributed through malicious Word documents that contain a political message in support of Indian farmers. Researchers claim that the cyber-attack campaign is done by a group seemingly called ‘Khalsa Cyber Fauj’.

Unlike other ransomware that requests a ransom from the victim in order to recover access to the data after payment, the Sarbloh ransomware attack is directed at India and has a political agenda linked to the country’s farmers protests. Users can be targeted by spear-phishing email campaigns that contain malicious documents.

When this ransomware payload infiltrates the system via malicious documents and remains undetected, it encrypts and locks system documents such as audio, photographs, video, databases, and other critical documents. The encrypted files are then renamed with the “.sarfbloh” extension. Finally, the malware releases a “README SARBLOH.txt” ransom note or a lock screen message requesting a ransom. The ransomware note, in this case, is linked to farmer protests in India.

Since it uses both a dynamically developed AES encryption key and a proprietary RSA Public key, which is stored inside the document itself, the Khalsa Cyber Fauj’s Sarbloh ransomware cannot be decrypted. 

The full text of this ransom note can be read below:

YOUR FILES ARE GONE!!!

THEY WILL NOT BE RECOVERABLE UNTIL THE DEMANDS OF THE FARMERS HAVE BEEN MET

WHAT HAPPENED TO THEM?

Using military grade EnCryPtiOn all the files on your system have been made useless.

India, Sikhs have long been the face against the oppression placed upon them.

Each time we have resisted.

Today you come for the very throats of Hindu, Sikh, and Muslim farmers by trying to take their livelihood.

You will not succeed in your sinister ways.

The two-sided sword of the Khalsa is at any moments notice. Tyaar bar tyaar.

Wherever our blood is spilled, the tree of Sikhi uproots from there.

If your intentions for the farmer’s are pure and

you wish to help them, this is not the way.

Halemi Raj, Sikh Raj, was not this way.

If the laws are not repealed. Your fate is no

different to what the Khalsa did to Sirhind.

Waheguru Ji Ka Khalsa, Waheguru Ji Ki Fateh

Khalsa Cyber Fauj

In recent years, ransomware has become one of the most common cybersecurity threats. The current pandemic has played a major role of the rise in ransomware. In 2020, there will be an increase in ransomware attacks as more workers operate from home.