The recent ransomware attack on supply chain management platform Blue Yonder has been linked to a new ransomware group called “Termite.” This attack impacted several downstream customers, including retail and manufacturing operations, with Blue Yonder working tirelessly to restore their systems.
According to researchers at Cyble, Termite ransomware is essentially a rebranded version of the infamous Babuk ransomware. The group behind Termite has claimed seven victims so far, with two in the U.S. and France, and one each in Oman, Germany, and Canada.
Cyble researchers analyzed a Termite ransomware binary and found it to be closely related to the Babuk ransomware. The ransomware employs various tactics to ensure maximum impact, such as invoking specific APIs to prolong the encryption process, terminating services and backup processes on victim machines, and deleting Shadow Copies and files from the recycling bin to prevent recovery.
The ransom note left by the Termite ransomware instructs victims to visit an onion site for further information. After displaying the ransom note, the malware encrypts files on the victim’s machine and appends the “.termite” extension to them. Additionally, it can locate network shares, retrieve information about shared resources, and encrypt files on network drives connected to the infected machine.
Cyble researchers view Termite ransomware as a new and growing threat in the cyber landscape, emphasizing the need for robust cybersecurity measures, proactive threat intelligence, and incident response strategies to combat evolving ransomware tactics. The attack on Blue Yonder highlights the appeal of the software supply chain for threat actors, as they can impact multiple companies in one attack.
For a more in-depth analysis of Termite ransomware, including indicators of compromise (IoCs) and MITRE ATT&CK techniques, you can refer to the full Cyble blog on the subject. This incident serves as a stark reminder of the ever-present threat of ransomware attacks and the importance of staying vigilant and implementing strong cybersecurity measures to protect against them.