Overview
Termite Ransomware is a relatively new and rapidly evolving ransomware group first identified in late 2024. While its origins remain unclear, it’s believed to be connected to the Babuk ransomware group, leveraging modified Babuk code. Termite’s operations demonstrate a blend of traditional ransomware techniques and modern strategies aimed at maximizing disruption and financial gain, focusing on data theft, extortion, and encryption. Its attacks have already impacted high-profile organizations across various industries globally, establishing it as a significant threat in the evolving ransomware landscape. Speculation exists regarding potential links to other prominent groups like Cl0p, based on overlapping victim targets and exploited vulnerabilities.
Known Aliases
“Termite” is the only known alias of this ransomware.
Country of Origin
The country of origin for Termite Ransomware is unknown.
Most Recent Attacks involving Termite Ransomware
- Blue Yonder (November 2024): This is the most notable attack attributed to Termite. The attack caused significant operational disruptions for several major companies that utilize Blue Yonder’s supply chain management solutions. Termite claimed to have exfiltrated 680GB of sensitive data. A notable aspect of this attack is the simultaneous listing of Blue Yonder as a victim by both Termite and the Cl0p ransomware group, fueling speculation about potential connections between the two. Blue Yonder later clarified that this attack was unrelated to a separate vulnerability in Cleo software, which was exploited by Cl0p.
- Zschimmer and Schwarz (January 30, 2025): Zschimmer and Schwarz, a company developing and producing high-performance chemical auxiliaries for various industries, was also victimized by Termite. The exact size of the data leak in this incident remains unknown.
MITRE ATT&CK Tactics and Techniques Used by Termite Ransomware
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | User Execution | T1204.002 | Executes malicious code using a user’s account. |
| Defense Evasion | Indicator Removal on Host | T1070.004 | Removes artifacts from the compromised system to evade detection. |
| Discovery | File and Directory Discovery | T1083 | Searches for files and directories to identify targets for encryption or exfiltration. |
| Discovery | Network Share Discovery | T1135 | Discovers network shares to spread the ransomware laterally. |
| Lateral Movement | Remote Services | T1021 | Uses remote services (like RDP or SMB) to move laterally within the network. |
| Privilege Escalation | Valid Accounts | T1078 | Uses compromised accounts to elevate privileges. |
| Command and Control | Ingress Tool Transfer | T1105 | Transfers tools or payloads to the compromised system. |
| Impact | Data Encrypted for Impact | T1486 | Encrypts data to render it inaccessible. |
| Impact | Inhibit System Recovery | T1490 | Prevents system recovery by deleting shadow copies and clearing the Recycle Bin. |
Methods of Attack/Infiltration of Termite Ransomware
Termite’s initial access methods are believed to include:
- Phishing Campaigns: Targeting individuals within organizations to gain initial access.
- Exploitation of Software Vulnerabilities: Leveraging known or zero-day vulnerabilities in software to compromise systems. This includes documented exploitation of vulnerabilities in Cleo file transfer software (CVE-2024-50623 and CVE-2024-55956), although the Blue Yonder attack was later clarified to be unrelated to this specific vulnerability.
- Use of Stolen Credentials: Potentially using compromised credentials to gain unauthorized access.
Malware/Ransomware Strain(s) Used by Termite Ransomware
The primary ransomware used by Termite is a modified version of the Babuk ransomware.
