A Technical Look at the New ‘Termite’ Ransomware that Hit Blue Yonder

December 8, 2024 Cyble

Summary:
The recent ransomware attack on Blue Yonder was executed by a new group called “Termite,” which is a rebranding of the Babuk ransomware. The attack employs advanced techniques to encrypt files, delete recovery options, and disrupt operations. Researchers highlight the importance of robust cybersecurity measures to combat such evolving threats.
#TermiteRansomware #CyberThreats #RansomwareAttack

Keypoints:

Termite ransomware is a rebranding of the Babuk ransomware.

It targets supply chain management platforms and their customers.

The ransomware uses various APIs to maximize encryption time and prevent recovery.

It enumerates and terminates services and processes to avoid interruptions during encryption.

Termite deletes Shadow Copies and items from the Recycle Bin to hinder recovery efforts.

It encrypts files while avoiding certain system folders and file types.

The ransomware appends a unique signature to encrypted files.

It can spread through network shares and paths of the infected machine.

Recommendations include not opening untrusted links, conducting regular backups, and using reputable antivirus software.

MITRE Techniques

User Execution (T1204.002): User executes the ransomware file.

Indicator Removal: File Deletion (T1070.004): Ransomware deletes itself after execution.

File and Directory Discovery (T1083): Ransomware enumerates folders for file encryption and deletion.

Network Share Discovery (T1135): Targets Network Shares and Paths.

Data Encrypted for Impact (T1486): Ransomware encrypts the data for extortion.

Inhibit System Recovery (T1490): Disable automatic Windows recovery.

IoC:

[File Hash] f0ec54b9dc2e64c214e92b521933cee172283ff5c942cf84fae4ec5b03abab55

Full Research: https://cyble.com/blog/technical-look-at-termite-ransomware-blue-yonder/

Tags: IMPACT, WINDOWS, DISCOVERY