What Do We Know About the New Ransomware Gang Termite?

Termite is quickly making itself a name in the ransomware space. The threat actor group claimed responsibility for a November cyberattack on Blue Yonder, a supply chain management solutions company, according to CyberScoop. Shortly afterward, the group was linked with zero day attacks on several Cleo file transfer products.  

How much damage is this group doing, and what do we know about Termite’s tactics and motives?  

New Gang, Old Ransomware 

Termite is rapidly burrowing into the ransomware scene. While its name is new, the group is using a modified version of an older ransomware strain: Babuk. This strain of ransomware has been on law enforcement’s radar for quite some time. In 2023, the US Department of Justice indicted a Russian national for using various ransomware variants, including Babuk, to target victims in multiple sectors.  

Babuk first arrived on the scene in December 2020, and it was used in more than 65 attacks. Actors using this strain demanded more than $49 million in ransoms, netting up to $13 million in payments, according to the US Justice Department.  

While Babuk has reemerged, different actors could very well be behind its use in Termite’s recent exploits.  

“Babuk ransomware was leaked back in 2021. The builder is basically just the source code so that anyone can compile the encrypting tool and then run their own ransomware campaign,” says Aaron Walton, threat intelligence analyst at Expel, a managed detection and response provider.  

Related:The Importance of Empowering CFOs Against Cyber Threats

How is Termite putting the ransomware to work? 

“Researchers have found that the group’s ransomware uses a double extortion method, which is very common these days,” Mark Manglicmot, senior vice president of security services at cybersecurity company Arctic Wolf, tells InformationWeek. “They extort the victim for a decryptor to prevent the release of stolen data publicly.”  

A new ransomware group is not automatically noteworthy, but Termite’s aggression and large-scale attacks early on in its formation make it a group to watch.  

“Usually, these groups start with smaller instances and then they kind of build up to something bigger, but this new group didn’t waste any time,” says Manglicmot. 

Termite’s Victims 

Termite appears to be a financially motivated threat actor. “They’re attacking victims in different countries across different verticals,” says Jon Miller, CEO and cofounder of anti-ransomware platform Halcyon. “The fact that they’re executing without a theme makes me feel like they’re opportunist-style hackers.”  

Related:5 Questions Your Data Protection Vendor Hopes You Don’t Ask

Termite has hit 10 victims thus far, in sectors including automotive manufacturing, oil and gas, and government, according to Infosecurity Magazine.  

The group does have victims listed on its leak site, but it is possible there are more. “Maybe we could guess that there might be another handful that have paid ransom or have negotiated to stay off of [the] data leak site,” says Walton.  

Given the group’s aggression and opportunistic approach, it could conceivably execute disruptive attacks on other large companies.  

“Termite seems to be bold enough to impact a large number of organizations,” says Walton. “That is normally a risky tactic that really brings the heat on you much faster than just … hitting one organization and avoiding anything that could severely damage supply lines.” 

The attack on Blue Yonder caused significant disruption to many organizations. Termite claims it has 16,000 e-mail lists and more than 200,000 insurance documents among a total of 680GB of stolen data, according to Infosecurity Magazine.  

The ransomware attack caused outages for Blue Yonder customers, including Starbucks and UK supermarket companies Morrisons and Sainsbury’s, according to Bleeping Computer.  

Termite’s exploitation of a vulnerability in several Cleo products is impacting victims in multiple sectors, including consumer products, food, shipping, and trucking, according to Huntress Labs.   

Related:Facing the Specter of Cyber Threats During the Holidays

Ongoing Ransomware Risks 

Whether Termite is here to stay or not, ransomware continues to be a risk to enterprises. “With certain areas of the globe being destabilized, we could see even more of these types of behaviors pop up,” says Manglicmot.  

As enterprise leaders assess the risk their organizations face, Miller advocates for learning about the common tactics that ransomware groups use to target victims.  

“It’s really important for people to go out and educate themselves on what ransomware groups are targeting their vertical or like-sized companies,” he says. “The majority of these groups use the exact same tactics over and over again in all their different victims.”