The November ransomware assault on provider Blue Yonder that affected giant firms like Starbucks, Sainsbury’s and Morrisons has been claimed by the Termite ransomware group.
On its knowledge leak web site, the group claims to have stolen 680GB of knowledge, together with greater than 16,000 e mail lists that it plans to make use of for future assaults, and greater than 200,000 insurance coverage paperwork.
Blue Yonder has but to touch upon the ransomware group’s declare however mentioned in a December 6 message that it was working with exterior cybersecurity specialists to handle these claims.
Termite has claimed assaults towards a number of organizations throughout numerous sectors together with authorities businesses, oil and gasoline and automotive manufacturing. It was beforehand chargeable for an assault on the federal government of the French island nation of La Réunion.
The group has claimed 10 victims worldwide, although many haven’t but confirmed whether or not they have been focused. Plainly the group primarily focuses on Europe and North America.
Stories recommend that the group has been energetic since April 2024.
A Doable New Babuk Variant
Cyber risk intelligence analysts from Cyble have analyzed binaries from the ransomware implant deployed by Termite.
The risk intelligence supplier assessed that the brand new ransomware group is basically a rebranding of the infamous Babuk ransomware.
Broadcom has additionally famous the hyperlink between Termite and Babuk. It described the Termite emblem as that includes a blue stylized termite built-in with circuit-like pathways.
Mikhail Pavolvich Matveev, aka WazaWaka, was allegedly arrested by the Russian authorities in early December. A 2023 US indictment described him because the chief of the Babuk ransomware group.
How Termite Ransomware Infects Sufferer’s Gadgets
Upon execution, the Termite ransomware makes use of the SetProcessShutdownParameters API to delay termination throughout system shutdown, maximizing encryption time. It additionally makes an attempt to cease providers on the sufferer’s machine by connecting to the Service Management Supervisor with the OpenSCManagerA() API, stopping disruptions throughout encryption.
After gaining entry, the ransomware enumerates the providers on the sufferer’s machine to retrieve their names, particularly searching for Microsoft’s Digital Machine Administration service (VMMS) or digital machine backup and restoration programs like Veeam’s.
The ransomware enumerates operating processes and terminates some in the event that they’re proven to be operating.
It then runs a number of processes to stop system restoration and delete all recordsdata from the ‘Recycle Bin’ to make sure the sufferer can not recuperate any recordsdata after encryption.
After scanning for processors operating on the focused machine, Termite ransomware generates a ransom observe for every detected CPU titled “How To Restore Your Recordsdata.txt”, encrypts recordsdata on the sufferer’s machine and appends the “.termite” extension.
Like Babuk ransomware, Termite additionally appends the signature “choung dong seems to be like sizzling canine” on the finish of the encrypted file.
Cyble’s Mitigation Suggestions
Cyble analysts have listed some important cybersecurity finest practices to mitigate the specter of Termite ransomware. These embody:
- Keep away from opening untrusted hyperlinks and e mail attachments with out first verifying their authenticity
- Conducting common backup practices and protecting these backups offline or in a separate community
- Tuning on the automated software program replace characteristic in your laptop, cellular, and different linked gadgets wherever potential and pragmatic
- Utilizing a good antivirus and Web safety software program package deal in your linked gadgets, together with PC, laptop computer, and cellular
