LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Termite

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting

Termite ransomware emerged in late 2024 as a closed, non-RaaS group built on Babuk source code. Its attacks on Blue Yonder and Australian fertility clinic Genea placed it among the highest-impact groups of its size, targeting supply chain vendors and healthcare providers.

By Ransomware Tracker ·
TermiteransomwareBabukBlue-Yondersupply-chainhealthcareclosed-groupdouble-extortiongroup-profile
Threat Level
8/10
Sectors Targeted
healthcare
finance
transport
Ransomware Family
Termite

Overview

Termite is a ransomware group that emerged in late 2024 and distinguished itself not through prolific victim counts but through the severity of individual attacks. Operating as a closed group — not a ransomware-as-a-service (RaaS) platform with affiliates — Termite selects targets methodically and has repeatedly demonstrated an ability to identify and compromise high-value supply chain vendors, amplifying impact beyond the direct victim.

The group’s technical foundation is the Babuk ransomware builder, the source code of which leaked publicly in September 2021. Termite is one of several successor groups built on Babuk code, sitting alongside ESXiArgs, Cyclops, and RA World in the broader Babuk derivative ecosystem. The shared codebase does not imply shared operations — Termite is assessed as an independent group that adopted Babuk’s established cross-platform encryption capabilities rather than a rebrand of any previous Babuk-using operator.

Despite a relatively small disclosed victim count compared to prolific RaaS operations like LockBit or RansomHub, Termite’s attack selection has generated outsized attention, and the group should be considered a high-capability actor rather than a lower-tier opportunistic operator.


Technical Profile

Code Base

Termite ransomware is derived from the Babuk source code that was leaked in September 2021 on a Russian-language cybercrime forum. Babuk’s original design targeted Windows environments with a ChaCha8 encryption implementation, and later versions added an ESXi encryptor targeting VMware virtual machine files. Termite inherits these capabilities, though analysis of samples suggests the group has modified the original code rather than using it verbatim.

Encryption Approach

Termite uses Babuk’s hybrid encryption architecture:

  • A session key is generated per encryption operation using a symmetric cipher (ChaCha8 in Babuk’s original design)
  • The session key is encrypted with an attacker-held asymmetric key (Babuk originally used Curve25519), making decryption without the attacker’s private key impossible
  • Files are renamed with a .termite extension post-encryption (not observed in all variants; some samples use no extension modification)

Ransom notes are dropped throughout the filesystem and typically direct victims to a Tor-accessible negotiation portal. The group operates a data leak site where stolen data is published for victims who do not pay.

Deployment Method

Termite’s operators gain initial access through phishing and exploitation of internet-facing vulnerabilities. Post-access activity follows a conventional pattern: credential harvesting, lateral movement to identify and compromise backup infrastructure, data exfiltration before encryption, and then deployment of the encryption payload. Shadow copy deletion and disabling of backup and security services are performed before encryption to maximise damage and prevent recovery without payment.


Targeting Profile

Termite is a closed, operator-run group with a small victim set. This concentrates operational attention on individual targets and suggests a higher operational tempo per victim than RaaS affiliates managing multiple concurrent intrusions. The group’s target selection shows a preference for organisations that function as critical dependencies for other industries — supply chain vendors, managed service providers, and healthcare infrastructure — where the disruption impact and willingness to pay are elevated.

Observed target sectors:

  • Supply chain and logistics (food supply, third-party vendor)
  • Healthcare (fertility clinic, patient data exfiltration)
  • Technology services (managed services, software vendors)

Notable Incidents

Blue Yonder (November 2024)

The highest-profile confirmed Termite attack targeted Blue Yonder, a US-based supply chain management software company serving over 3,000 enterprise customers globally, including major UK supermarket chains. The attack disrupted Blue Yonder’s managed services infrastructure in late November 2024, causing widespread downstream disruption to retail supply chain operations during the peak holiday trading period.

Starbucks disclosed that the attack affected its ability to manage employee schedules due to dependency on Blue Yonder’s workforce management platform. UK supermarkets including Morrisons and Sainsbury’s experienced disruption to inventory and warehouse management systems. The blast radius of a single supply chain vendor attack reaching hundreds of enterprise customers is precisely the impact profile Termite appears to target: one successful intrusion generates pressure from multiple downstream affected organisations simultaneously.

Genea (February 2025)

Termite claimed responsibility for an attack on Genea, one of Australia’s largest fertility clinic operators. The group exfiltrated approximately 940 gigabytes of patient data including highly sensitive reproductive health records, genetic material storage records, and personal identifiers. Termite published portions of the stolen data on its leak site when Genea declined to pay the ransom.

The attack generated significant regulatory attention in Australia and underscores the group’s willingness to publish medical and reproductive health data — one of the highest sensitivity categories of personal information — as extortion leverage.


Operational Security

Termite operates with moderate operational security by the standards of closed ransomware groups. The group’s Tor-based negotiation portal and leak site have maintained consistent availability, suggesting reasonably professional infrastructure management. The closed group model — no affiliates — reduces the operational security risk associated with RaaS operators whose affiliates can be arrested, turned, or make mistakes that expose the core group.

No law enforcement action against Termite infrastructure or operators had been disclosed as of mid-2026. The group has not claimed any law enforcement disruption in the manner of LockBit’s “FBI Notice” counter-narrative following Operation Cronos.


Ransom Demands and Negotiation

Termite’s ransom demands have not been systematically disclosed across its victim set. Based on publicly available information from the Blue Yonder and Genea incidents, demands appear calibrated to large enterprises and are in the millions of dollars range, consistent with the group’s target size. The group operates a double-extortion model: encrypted systems plus threatened publication of stolen data. In at least the Genea case, data was published when payment was not made.

The group maintains a negotiation portal accessible via Tor. Victim communications follow conventional ransomware negotiation formats: initial demand, proof-of-decryption offer for a sample file, and negotiation toward settlement.


Defensive Implications

Third-Party and Vendor Risk

The Blue Yonder attack is the definitive case study for why supply chain vendor risk management must include security posture assessments. Vendor access to enterprise environments, vendor-managed software platforms on enterprise networks, and dependencies on SaaS vendors for critical business functions all represent attack surface that Termite has demonstrated the ability and willingness to exploit.

Organisations should identify their critical third-party software and managed service dependencies and evaluate:

  • Whether a compromise of the vendor would disrupt business-critical operations
  • Whether vendor access to internal networks is appropriately scoped and monitored
  • Whether contractual obligations include security incident notification timelines

Healthcare Sector Alert

Termite’s willingness to exfiltrate and publish highly sensitive medical data — including reproductive health records — without apparent concern for the human harm caused places it in the same category as the most aggressive healthcare-targeting ransomware groups. Healthcare providers should treat Termite as an active threat and review incident response playbooks for scenarios involving data exfiltration before encryption, since prevention of data loss is impossible once exfiltration has occurred. Detection during the exfiltration phase — before encryption — is the only recovery path that avoids both ransom payment and data publication.

Detection Priorities

  • Anomalous outbound data transfer volumes, particularly to cloud storage services and file sharing platforms, before encryption events
  • Vssadmin, wmic shadow copy deletion, and bcdedit commands indicating pre-encryption preparation
  • Termite’s .termite extension on encrypted files (where the variant appends it)
  • Lateral movement through credential harvesting: monitoring for LSASS access and credential spraying within hours of initial access

Assessment

Termite is a focused, professional closed ransomware group with a demonstrated capability to compromise large enterprises and supply chain vendors. Its victim count is small by RaaS standards, but impact per attack is high. The Blue Yonder attack demonstrated the group’s understanding of supply chain leverage: one successful compromise cascades into disruption for hundreds of downstream organisations. Healthcare targeting with data publication is a deliberate pressure tactic that prioritises victim payment compliance over ethical considerations about sensitive data.

Termite should be treated as an active, capable threat, particularly for organisations in supply chain management, managed services, healthcare, and any sector with significant third-party software dependencies.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Hunters International / World Leaks: From Hive Successor to Pure Extortion