New ‘Termite’ ransomware group claims responsibility for Blue Yonder cyberattack
A newly formed ransomware group known as Termite has claimed responsibility for a ransomware attack on Blue Yonder, which disrupted operations at several major companies, including Starbucks and leading U.K. grocery chains Morrisons and Sainsbury’s.
Blue Yonder, headquartered in Arizona, disclosed on Nov. 21 that it was experiencing disruptions within its managed services-hosted environment due to the attack. This announcement was followed by confirmations of operational difficulties experienced by its customers, notably affecting Starbucks’ payroll systems and causing warehouse management system issues at Morrisons.
The Termite group claimed responsibility through its Tor-based website, posting that it has exfiltrated 680 gigabytes of data from Blue Yonder, including sensitive information such as databases, email addresses, and over 200,000 insurance documents. The threat actors have threatened to release segments of this data publicly if ransom demands are not met.
In response, Blue Yonder confirmed its awareness of the unauthorized data claims and has enlisted external cybersecurity experts to investigate and address these security breaches. “We are working diligently to understand the full extent of the situation and to support our affected customers,” the company said in a statement.
The Termite group uses ransomware that is a modified version of the Babuk ransomware, whose source code became public due to a leak several years ago.
Termite’s operational footprint, although relatively new, has rapidly expanded. Within a short span, the group has listed multiple victims across various sectors and countries. Recent attacks, in addition to Blue Yonder, include a breach of Conseil Scolaire Viamonde, a French-language school board in Toronto, and the French government of Réunion.
A bulletin published by Broadcom last month said that Termite has been rather indiscriminate in its targeting, attacking government agencies, education, disability support services, oil and gas, water treatment, and automotive manufacturing organizations. Alpharetta, Ga.-based Cyble has published technical details that examine how the malware functions.