Full Report
This new ransomware group is likely a new variant of Babuk, said Cyble threat intelligence analysts
Analysis Summary
# Threat Actor: Termite Ransomware Group
## Attribution & Identity
* **Identification:** Termite ransomware group.
* **Associated Groups:** Assessed by threat intelligence analysts (Cyble) to be a rebranding or variant of the notorious **Babuk ransomware**.
* **Alleged Affiliation:** Linked potentially to Mikhail Pavolvich Matveev (aka WazaWaka), who was indicted in 2023 as the leader of the Babuk ransomware group and allegedly arrested in December.
## Activity Summary
* Claimed responsibility for the November ransomware attack against supply chain software provider **Blue Yonder**, impacting major downstream customers like Starbucks, Sainsbury’s, and Morrisons.
* Claims theft of 680GB of data from Blue Yonder, including over 16,000 email lists intended for future attacks and over 200,000 insurance documents.
* Historically claimed attacks against government agencies, oil and gas, and automotive manufacturing sectors.
* Previously responsible for an attack on the government of the French island nation of La Réunion.
* Reportedly active since April 2024.
## Tactics, Techniques & Procedures
* **System Persistence/Evasion:** Uses the `SetProcessShutdownParameters` API to delay termination during system shutdown, aiming to maximize encryption time.
* **Service Disruption:** Connects to the Service Control Manager using the `OpenSCManagerA()` API to stop services and prevent disruptions during encryption.
* **Target Identification:** Enumerates running services, specifically looking for Microsoft’s Virtual Machine Management service (VMMS) or virtual machine backup/recovery systems (e.g., Veeam).
* **Process Termination:** Enumerates running processes and terminates selected processes.
* **Anti-Recovery:** Runs several processes designed to prevent system recovery and deletes all files from the Recycle Bin.
* **Encryption:** Encrypts files and appends the **`.termite`** extension. Generates a ransom note titled **“\_How To Restore Your Files.txt”** for each detected CPU.
* **Signature Appending:** Appends the signature **“\_choung dong looks like hot dog\_”** at the end of encrypted files, similar to Babuk ransomware.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text.
## Targeting
* **Sectors:** Government agencies, oil and gas, automotive manufacturing, and supply chain/logistics (via Blue Yonder).
* **Geography:** Primarily focuses on **Europe** and **North America**.
* **Victims:** Blue Yonder, Government of La Réunion, and unnamed victims in the sectors listed above.
## Tools & Infrastructure
* **Malware Families Used:** Termite ransomware (assessed as a Babuk variant).
* **Infrastructure (C2, domains, IPs):** None specified in the article.
## Implications
Termite represents a newly visible but likely experienced threat actor, given its connection to Babuk. Its supply chain targeting (via Blue Yonder) demonstrates the potential for significant downstream impact across multiple critical sectors (retail, logistics). The theft and stated intent to reuse stolen data (680GB, email lists) suggest potential for future extortion or secondary impact campaigns.
## Mitigations
* Avoid opening untrusted links and email attachments without first verifying their authenticity.
* Conduct regular backup practices and ensure those backups are kept **offline or segmented on a separate network**.
* Enable automatic software updates on all connected devices (PC, mobile, etc.).
* Use reputable antivirus and Internet security software packages.
* (Implied based on TTPs): Implement robust endpoint detection and response (EDR) capable of blocking API calls related to service manipulation, system shutdown parameter changes, and mass file deletion (Recycle Bin clearing).