The threat group that is claiming to be behind the high-profile ransomware attack last month on software-as-a-service (SaaS) provider Blue Yonder is relatively new to threat intelligence researchers, having started its leak site in late October.

Given how new the Termite ransomware group is, it’s concerning that it has the ability to attack such a large and established company like Blue Yonder, a subsidiary of Panasonic whose 3,000-plus customers include such major corporations as 3M, Bayer, Advance Auto Parts, Microsoft, Proctor & Gamble, Western Digital, and BSF.

“When thinking about new ransomware groups, we typically see them work up to larger breaches such as the one on Blue Yonder; making this group one to keep an eye on,” said Mark Manglicmot, senior vice president of security services at Arctic Wolf, noting that a report by his company last year found that 82% of organizations with data posted to ransomware leak sites in the first half of 2023 were SMBs with fewer than 1,000 employees. “What is interesting here is the ability for a relatively new group to go after such a large business out of the gate, and seemingly successful.”

Termite reportedly took responsibility for the Blue Yonder attack Friday on its leak site, claiming it had stolen 680GB of data. The threat actors wrote that the data include databases, more than 16,000 email lists, more than 200,000 reports, and insurance documents.

Some Blue Yonder Customers Back Online

Blue Yonder initially talked about the attack on its website November 21, saying it “experienced disruptions to its managed services hosted environment.” The attack affected the operations of coffee chain Starbucks, a Blue Yonder customer that had to switch to manual operations for such tasks as employee scheduling and time tracking.

Two U.K. grocery chains, Morrisons and Sainsbury’s, also were affected by the attack. It’s unclear how many Blue Yonder customers were impacted by the ransomware incident, though in its latest update, Blue Yonder wrote that it was “making good progress, several of our impacted customers have been brought back online, and we are actively working directly with others to return them to normal business operations.”

Theat Group Uses Babuk Ransomware Variant

Threat intelligence vendor Cyjax wrote about Termite days before the attack on Blue Yonder, writing that up to that point, the group’s list site included five victims. The researchers described Termite as an English-speaking group that steals data from organizations and follows with threats to leak the information on its TOR-hosted leak site if the ransom isn’t paid.

They pegged Termite has emerging before November 12 and noted that the victim list at the time spanned not only multiple localities but also varying industries, from a U.S. auto-parts supply company and water treatment in France to an oil company in Oman, an education organization in Canada, and a non-governmental organization in Germany.

In a report in late November, Broadcom researchers said the Termite actors appear to be using a modified version of the notorious Babuk ransomware, which encrypts targeted files when executed on a victim’s machine, as a “termite” extension, and drops a brief ransom note. Also included are the group’s Onion website, a support token, and email address.

“When victims connect to their website, they are presented with a form designed for direct communication with the attackers,” the researchers wrote. “The form includes fields for entering the company name, a description of the situation, the victim’s full name, an email address, and a ‘support token.’”

Typical Tactics and a Few Hiccups

They added that Termite likely uses the same tactics that other ransomware groups do, including gaining initial access through phishing, security flaws, or stolen credentials bough on the dark web. They escalate privileges to take control of networks and exfiltrate data while encrypting files. The group also disables backups and defenses to make it more difficult for organizations to recover their data and the demand note calls for ransoms payments to be made with cryptocurrency.

Trend Micro researchers on X (formerly Twitter) wrote about some hitches in the group’s ransomware, including a code execution flaw that leads to it terminating prematurely, adding that “designed for single file encryption, a coding error calls ExitProcess instead of encrypting, indicating ongoing development.”

“These technical hiccups show Termite is still refining their malware,” they wrote. “This is a critical time for organizations to reinforce their cyberdefenses before the group becomes more sophisticated. As Termite evolves, so should our cybersecurity strategies.”