Termite is rapidly making itself a reputation within the ransomware house. The menace actor group claimed duty for a November cyberattack on Blue Yonder, a provide chain administration options firm, based on CyberScoop. Shortly afterward, the group was linked with zero day assaults on a number of Cleo file switch merchandise.
How a lot harm is that this group doing, and what can we find out about Termite’s ways and motives?
New Gang, Outdated Ransomware
Termite is quickly burrowing into the ransomware scene. Whereas its identify is new, the group is utilizing a modified model of an older ransomware pressure: Babuk. This pressure of ransomware has been on regulation enforcement’s radar for fairly a while. In 2023, the US Division of Justice indicted a Russian nationwide for utilizing numerous ransomware variants, together with Babuk, to focus on victims in a number of sectors.
Babuk first arrived on the scene in December 2020, and it was utilized in greater than 65 assaults. Actors utilizing this pressure demanded greater than $49 million in ransoms, netting as much as $13 million in funds, based on the US Justice Division.
Whereas Babuk has reemerged, completely different actors might very effectively be behind its use in Termite’s latest exploits.
“Babuk ransomware was leaked again in 2021. The builder is principally simply the supply code in order that anybody can compile the encrypting device after which run their very own ransomware marketing campaign,” says Aaron Walton, menace intelligence analyst at Expel, a managed detection and response supplier.
How is Termite placing the ransomware to work?
“Researchers have discovered that the group’s ransomware makes use of a double extortion technique, which is quite common nowadays,” Mark Manglicmot, senior vp of safety companies at cybersecurity firm Arctic Wolf, tells InformationWeek. “They extort the sufferer for a decryptor to stop the discharge of stolen information publicly.”
A brand new ransomware group just isn’t mechanically noteworthy, however Termite’s aggression and large-scale assaults early on in its formation make it a gaggle to look at.
“Often, these teams begin with smaller situations after which they sort of construct as much as one thing larger, however this new group didn’t waste any time,” says Manglicmot.
Termite’s Victims
Termite seems to be a financially motivated menace actor. “They’re attacking victims in several international locations throughout completely different verticals,” says Jon Miller, CEO and cofounder of anti-ransomware platform Halcyon. “The truth that they’re executing with no theme makes me really feel like they’re opportunist-style hackers.”
Termite has hit 10 victims up to now, in sectors together with automotive manufacturing, oil and fuel, and authorities, based on Infosecurity Journal.
The group does have victims listed on its leak web site, however it’s doable there are extra. “Possibly we might guess that there is perhaps one other handful which have paid ransom or have negotiated to remain off of [the] information leak web site,” says Walton.
Given the group’s aggression and opportunistic method, it might conceivably execute disruptive assaults on different massive corporations.
“Termite appears to be daring sufficient to influence numerous organizations,” says Walton. “That’s usually a dangerous tactic that actually brings the warmth on you a lot sooner than simply … hitting one group and avoiding something that might severely harm provide traces.”
The assault on Blue Yonder induced vital disruption to many organizations. Termite claims it has 16,000 e-mail lists and greater than 200,000 insurance coverage paperwork amongst a complete of 680GB of stolen information, based on Infosecurity Journal.
The ransomware assault induced outages for Blue Yonder clients, together with Starbucks and UK grocery store corporations Morrisons and Sainsbury’s, based on Bleeping Laptop.
Termite’s exploitation of a vulnerability in a number of Cleo merchandise is impacting victims in a number of sectors, together with client merchandise, meals, delivery, and trucking, based on Huntress Labs.
Ongoing Ransomware Dangers
Whether or not Termite is right here to remain or not, ransomware continues to be a threat to enterprises. “With sure areas of the globe being destabilized, we might see much more of these kind of behaviors pop up,” says Manglicmot.
As enterprise leaders assess the chance their organizations face, Miller advocates for studying in regards to the frequent ways that ransomware teams use to focus on victims.
“It’s actually essential for individuals to exit and educate themselves on what ransomware teams are focusing on their vertical or like-sized corporations,” he says. “Nearly all of these teams use the very same ways again and again in all their completely different victims.”
