Termite is rapidly making itself a reputation within the ransomware house. The menace actor group claimed accountability for a November cyberattack on Blue Yonder, a provide chain administration options firm, in keeping with CyberScoop. Shortly afterward, the group was linked with zero day assaults on a number of Cleo file switch merchandise.
How a lot injury is that this group doing, and what will we find out about Termite’s techniques and motives?
New Gang, Outdated Ransomware
Termite is quickly burrowing into the ransomware scene. Whereas its identify is new, the group is utilizing a modified model of an older ransomware pressure: Babuk. This pressure of ransomware has been on legislation enforcement’s radar for fairly a while. In 2023, the US Division of Justice indicted a Russian nationwide for utilizing varied ransomware variants, together with Babuk, to focus on victims in a number of sectors.
Babuk first arrived on the scene in December 2020, and it was utilized in greater than 65 assaults. Actors utilizing this pressure demanded greater than $49 million in ransoms, netting as much as $13 million in funds, in keeping with the US Justice Division.
Whereas Babuk has reemerged, completely different actors may very effectively be behind its use in Termite’s current exploits.
“Babuk ransomware was leaked again in 2021. The builder is mainly simply the supply code in order that anybody can compile the encrypting device after which run their very own ransomware marketing campaign,” says Aaron Walton, menace intelligence analyst at Expel, a managed detection and response supplier.
How is Termite placing the ransomware to work?
“Researchers have discovered that the group’s ransomware makes use of a double extortion technique, which is quite common as of late,” Mark Manglicmot, senior vp of safety companies at cybersecurity firm Arctic Wolf, tells InformationWeek. “They extort the sufferer for a decryptor to stop the discharge of stolen knowledge publicly.”
A brand new ransomware group will not be routinely noteworthy, however Termite’s aggression and large-scale assaults early on in its formation make it a bunch to observe.
“Normally, these teams begin with smaller situations after which they type of construct as much as one thing greater, however this new group didn’t waste any time,” says Manglicmot.
Termite’s Victims
Termite seems to be a financially motivated menace actor. “They’re attacking victims in numerous nations throughout completely different verticals,” says Jon Miller, CEO and cofounder of anti-ransomware platform Halcyon. “The truth that they’re executing and not using a theme makes me really feel like they’re opportunist-style hackers.”
Termite has hit 10 victims so far, in sectors together with automotive manufacturing, oil and fuel, and authorities, in keeping with Infosecurity Journal.
The group does have victims listed on its leak web site, however it’s potential there are extra. “Perhaps we may guess that there may be one other handful which have paid ransom or have negotiated to remain off of [the] knowledge leak web site,” says Walton.
Given the group’s aggression and opportunistic strategy, it may conceivably execute disruptive assaults on different giant corporations.
“Termite appears to be daring sufficient to affect numerous organizations,” says Walton. “That’s usually a dangerous tactic that basically brings the warmth on you a lot sooner than simply … hitting one group and avoiding something that might severely injury provide strains.”
The assault on Blue Yonder prompted important disruption to many organizations. Termite claims it has 16,000 e-mail lists and greater than 200,000 insurance coverage paperwork amongst a complete of 680GB of stolen knowledge, in keeping with Infosecurity Journal.
The ransomware assault prompted outages for Blue Yonder prospects, together with Starbucks and UK grocery store corporations Morrisons and Sainsbury’s, in keeping with Bleeping Pc.
Termite’s exploitation of a vulnerability in a number of Cleo merchandise is impacting victims in a number of sectors, together with shopper merchandise, meals, transport, and trucking, in keeping with Huntress Labs.
Ongoing Ransomware Dangers
Whether or not Termite is right here to remain or not, ransomware continues to be a threat to enterprises. “With sure areas of the globe being destabilized, we may see much more of some of these behaviors pop up,” says Manglicmot.
As enterprise leaders assess the chance their organizations face, Miller advocates for studying in regards to the widespread techniques that ransomware teams use to focus on victims.
“It’s actually necessary for individuals to exit and educate themselves on what ransomware teams are concentrating on their vertical or like-sized corporations,” he says. “The vast majority of these teams use the very same techniques again and again in all their completely different victims.”
