Emerging Ransomware Operator Termite Claims Blue Yonder Attack

A new ransomware gang, “Termite,” has claimed responsibility for a cyberattack on IT supplier Blue Yonder, causing significant disruptions for companies like Starbucks and grocery chains last month.  

Termite announced the breach on its Dark Web site, listing Blue Yonder among seven compromised organizations, PCMag reports.

The group claims to have stolen 680GB of sensitive data, including database dumps, email lists, and over 200,000 documents, and hinted at plans to leak the information.

Blue Yonder, based in Arizona, provides supply chain management software to over 3,000 organizations, including major companies like Walgreens, Albertsons, DHL, and Anheuser-Busch.  

The breach, which began on November 21, has alarmed the industry due to Blue Yonder’s critical role in logistics and retail operations. The company stated it is making progress in restoring affected systems and assisting impacted clients.

Termite, a recently emerged ransomware group, is known for targeting diverse sectors, including government agencies, education, and automotive suppliers. It uses a modified version of the Babuk ransomware, encrypting files with a ".termite" extension and delivering ransom notes.  

The gang likely exploits phishing emails, stolen credentials, and software vulnerabilities. Experts warn Termite’s lack of a decryption tool makes its attacks particularly damaging, potentially causing prolonged operational disruptions.

Takeaway: Termite first emerged mid-November 2024 and quickly gained attention for targeting a diverse range of organizations spanning multiple sectors and countries.  

Among their confirmed victims are the U.S.-based auto-parts supplier Nifast Corporation, the French water treatment company Culligan France, the Omani oil company OQ, Germany’s Lebenshilfe Heinsberg (an NGO), and Canada’s Conseil Scolaire Viamonde, an educational institution.  

Interestingly, while Viamonde reported a disruptive cyber incident in October 2024, it remains unclear if Termite was directly responsible. Termite’s operations are shrouded in mystery, with little known about the specific tactics, techniques, and procedures they employ to compromise their targets.  

Unlike many established ransomware groups, Termite has not yet disclosed how they gain access to systems or deploy their malicious software. So far, there is no evidence linking Termite to any other cybercriminal organizations, suggesting they operate independently.  

Central to their strategy is their English-language data leak site (DLS), where Termite lists their victims and provides descriptions of the attacks. Despite maintaining this platform, the group has not yet released any stolen data from the organizations they have claimed to compromise.  

This restraint may indicate a strategic approach, potentially using the threat of exposure as leverage in ransom negotiations.  

The site also includes a “support” page offering contact methods via Tox, Jabber, and Telegram, suggesting that Termite aims to portray a façade of professionalism, akin to a legitimate penetration testing operation.  

Financial gain appears to be Termite's sole motivation. Unlike ideologically driven cyber groups, they have not issued political manifestos or operational guidelines.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.