Farmer Protest Activists Using Ransomware That Doesn’t Demand Money, Wants ‘Justice’ of Reversing Farm Laws 2020

A faction claiming to belong to the farmer protest is spreading Sarbloh ransomware, saying it will only release captured data once farm laws are repealed.


A select group of farmer protest activists, claiming to call themselves Khalsa Cyber Fauj, is reportedly spreading a type of ransomware called Sarbloh. Named after their file extension, the ransomware is unique in the sense that the agenda behind its spread does not involve monetary gains. Instead, the Sarbloh ransomware that is infecting user PCs state that all users who are losing their data to the ransomware will only get their computers back once the central government of India repeals the controversial farm laws that they passed in 2020. What makes things even more alarming is that the ransomware in question does not have any known weaknesses, and as a result, there aren’t any known workarounds to the Sarbloh ransomware at the moment.

The farmer protest group also claims that they do not have any monetary benefit in mind. However, the move is being done to spread even more awareness among individuals and show the intent of farmers to repeal the farm laws 2020, which have been labelled as unacceptable by most sections of the farmer communities. The Sarbloh ransomware in question uses a two-layer encryption process, where it has a randomly generated AES encryption key, and an RSA Public key on top. This makes it practically impossible to crack, and as a result, if your PC gets infected by the Sarbloh ransomware, it is unlikely that users will have any way to get their data back.

A News18 report on the matter stated that even shadow files, which are often left behind by ransomware similar to the Sarbloh one in use by the farmer protest group, are being deleted by the ransomware – hence leaving no avenue to recover data. However, while this report cites Quick Heal’s analysis of the threat, other reports such as the one by MalwareBytes on the matter claim that some data may still be recoverable. However, the security community is so far united in the notion that once affected, it is unlikely that the Sarbloh ransomware can be disengaged from the user front. There is also no ransom to pay from the user’s end, thereby making matters even trickier.

So far, no farmer protest leader has issued a statement taking ownership of the cyber attack. Word from the farmer protest groups also remain slim on whether the Khalsa Cyber Fauj in question is actually a part of the official groups of farmers protesting against the laws in various locations, or may be a separate entity cashing in on the moment to push their own agenda. Users are advised to not download any attachment from unknown emails and messages as the Sarbloh ransomware is being spread via Microsoft Word documents.