In November, the ransomware group Termite carried out a significant cyberattack on the supplier Blue Yonder, affecting major companies such as Starbucks, Sainsbury’s, and Morrisons. On its data leak site, the group has claimed responsibility for the attack, stating that they have stolen a vast amount of data—680GB in total. This includes over 16,000 email lists that the group intends to use for future attacks, and more than 200,000 insurance documents.
Blue Yonder has yet to publicly comment on the ransomware group’s claims. However, in a statement released on December 6, they mentioned that they are actively collaborating with external cybersecurity experts to address these claims and mitigate any potential fallout from the attack.
Termite is a notorious ransomware group known for targeting various sectors, including government agencies, the oil and gas industry, and automotive manufacturing. They were previously behind an attack on the government of the French island nation of La Réunion. The group has claimed responsibility for attacks on 10 different organizations worldwide, although many of these organizations have not yet confirmed whether they were targeted. Termite appears to primarily focus on entities in Europe and North America.
Cyber threat intelligence analysts from Cyble have conducted an in-depth analysis of the binaries from the ransomware implant deployed by Termite. Their assessment indicates that the new ransomware group is essentially a rebranding of the notorious Babuk ransomware. This conclusion is supported by Broadcom, which also noted the link between Termite and Babuk. Broadcom described the Termite logo as featuring a blue stylized termite integrated with circuit-like pathways .
The analysis revealed that Termite ransomware uses tactics similar to Babuk, such as terminating services on the victim’s machine to prevent interruptions during the encryption process and deleting all Shadow Copies to prevent system . The ransomware also empties the recycling bin to ensure that files cannot be recovered .
It’s clear that Termite is leveraging advanced techniques to maximize the impact of their attacks. Do you think this rebranding is an attempt to evade detection, or is it something more strategic?
Upon execution, the Termite ransomware uses the SetProcessShutdownParameters API to delay termination during system shutdown, maximizing encryption time. It also attempts to stop services on the victim’s machine by connecting to the Service Control Manager with the OpenSCManagerA() API, preventing disruptions during encryption.
Once the access is gained, it enumerates the services on the victim’s machine to retrieve their names, specifically looking for Microsoft’s Virtual Machine Management service (VMMS) or virtual machine backup and recovery systems like Veeam’s. It then enumerates running processes and terminates some if they’re shown to be running.
To further ensure the victim can not recover any files after encryption, it runs several processes to prevent system recovery and delete all files from the ‘Recycle Bin’. After scanning for processors running on the targeted device, Termite ransomware generates a ransom note for each detected CPU titled “How To Restore Your Files.txt”, encrypts files on the victim’s machine, and appends the “.termite” extension.
Similar to Babuk, Termite is seen appending the signature “choung dong looks like hot dog” at the end of the encrypted file
