A Technical Look At The New ‘Termite’ Ransomware That Hit Blue Yonder

The ransomware assault that hit provide chain administration platform Blue Yonder and its prospects final month was the work of a brand new ransomware group referred to as “Termite.”

Cyble Analysis and Intelligence Labs (CRIL) researchers have examined a Termite ransomware binary and decided that Termite is actually a rebranding of the infamous Babuk ransomware. The Termite leak web site claims seven victims thus far (geographic distribution under).

We’ll cowl the technical particulars of the brand new Termite ransomware pressure, which was first recognized by PCrisk, together with MITRE ATT&CK strategies, indicators of compromise (IoCs) and proposals.

Technical Particulars of Termite Ransomware

Upon execution, the ransomware invokes the SetProcessShutdownParameters(0, 0) API to make sure that its course of is without doubt one of the final to be terminated throughout system shutdown. This tactic is used to maximise the time accessible for the ransomware to finish its encryption course of.

The ransomware then makes an attempt to terminate providers on the sufferer’s machine to stop interruptions through the encryption course of. It makes use of the OpenSCManagerA() API to ascertain a reference to the Service Management Supervisor, granting entry to the service management supervisor database (picture under).

After gaining entry, the ransomware enumerates the providers on the sufferer’s machine to retrieve their names. It particularly seems for providers resembling veeam, vmms, memtas and others, and terminating them if they’re discovered to be actively operating.

The ransomware enumerates operating processes utilizing the CreateToolhelp32Snapshot(), Process32FirstW(), and Process32NextW() APIs. It checks course of names resembling sql.exe, oracle.exe, firefox.exe and others and terminates them if they’re actively operating.

After that, the ransomware launches the vssadmin.exe course of to delete all Shadow Copies, as proven within the under determine. This motion is carried out to stop system restoration after the recordsdata have been encrypted.

The ransomware additionally makes use of the SHEmptyRecycleBinA() API to delete all gadgets from the Recycle Bin, guaranteeing that no deleted recordsdata may be restored after encryption. After execution, Termite Ransomware makes an attempt to retrieve system info utilizing the GetSystemInfo() API, which collects particulars just like the variety of processors, as proven within the under determine.

The ransomware then creates a separate thread for every detected CPU, generates ransom notes named “How To Restore Your Recordsdata.txt”, and encrypts recordsdata on the sufferer’s machine.

It avoids encrypting sure system folders resembling AppData, Boot, Home windows, Home windows.outdated and so on. Moreover, it particularly excludes system recordsdata resembling autorun.inf, boot.ini, bootfont.bin and so on., in addition to file extensions like .exe, .dll, and .termite from the encryption course of to make sure that important system features stay intact.

Just like Babuk ransomware, Termite appends the signature “choung dong seems like sizzling canine” on the finish of the encrypted file.

The determine under exhibits the ransom notice dropped by the ransomware, titled ” How To Restore Your Recordsdata.txt,” which instructs victims to go to the onion web site for extra info.

After dropping the ransom notes, the malware encrypts the recordsdata on the sufferer’s machine and appends the “.termite” extension, as proven within the determine under.

The Termite ransomware may also unfold by community shares and paths of the contaminated machine, as proven under.

If the command-line argument is “shares,” the ransomware makes use of the NetShareEnum() API to find community shares and retrieve details about every shared useful resource on the server. It then checks for the $ADMIN share and begins encrypting the recordsdata. If the command-line argument is “paths,” the ransomware calls the GetDriveTypeW() API to establish community drives linked to the contaminated machine, and as soon as situated, it begins encrypting the recordsdata. If neither “-paths” nor “-shares” are supplied, and the mutex named “DoYouWantToHaveSexWithCuongDong” is just not discovered on the contaminated machine, the ransomware recursively traverses all native drives and encrypts the recordsdata.

Conclusion

Termite ransomware represents a brand new and rising risk within the cyber panorama, leveraging superior ways resembling double extortion to maximise its affect on victims. By focusing on companies and demanding substantial ransoms, it not solely disrupts operations but additionally exposes organizations to vital monetary, authorized, and reputational dangers. The emergence of Termite underscores the vital want for strong cybersecurity measures, proactive risk intelligence, and incident response methods to counter the evolving ways of ransomware teams.

Suggestions

We now have listed some important cybersecurity greatest practices that create the primary line of management in opposition to attackers. We advocate that our readers comply with the perfect practices under:

Security Measures to Forestall Ransomware Assaults

• Don’t open untrusted hyperlinks and electronic mail attachments with out first verifying their authenticity.
• Conduct common backup practices and hold these backups offline or in a separate community.
• Activate the automated software program replace characteristic in your pc, cellular, and different linked units wherever attainable and pragmatic.
• Use a good antivirus and Web safety software program bundle in your linked units, together with PC, laptop computer, and cellular. 

MITRE ATT&CK® Methods

IOC

Associated