What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a Termite attack can make a huge difference and help you make a full recovery. Request 24/7 Termite ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Termite ransomware statistics & facts

Termite Decryptor
Termite IOCs
Termite Attack Vectors
Case Outcomes
How to Remove Termite Ransomware?
How to Recover from Termite Ransomware?
Ransom Amounts
Termite Decryptor

No public decryption tool is available for Termite. The malware uses strong RSA-2048+AES-256 encryption with private keys held exclusively by the threat actor. Decryption requires ransom payment (with no guarantee of functionality) or restoration from clean backups.

Termite IOCs

Specific indicators include .termite file extensions on all encrypted files, “How To Restore Your Files.txt” ransom notes, evidence of NetShareEnum() API usage for network share discovery, and lateral movement across SMB shares.

File Extensions
All encrypted files append .termite extension (e.g., document.docx.termite, image.jpg.termite). The extension is consistent across all Termite attacks, facilitating identification.

Ransom Note Filenames
“How To Restore Your Files.txt” appearing in all encrypted directories. The filename is consistent across all Termite incidents.

Termite Hashes
Termite samples share code patterns with Babuk ransomware, reflecting the group’s use of leaked source code. Specific hash tracking requires binary analysis and threat intelligence feeds.

Termite Tools
Legitimate administrative tools: RDP, WinRM, PowerShell; network discovery utilities (NetShareEnum API); SMB enumeration; Cobalt Strike (suspected affiliate use); PsExec for lateral movement; data exfiltration utilities.

Most Common Red Flag (Commands)
PowerShell commands: Get-SmbShare, Get-NetShare, Get-ChildItem on network shares; NetShareEnum() API calls; SMB connection attempts across network segments; evidence of file compression for staging (7-Zip, WinRAR); bulk data transfers to external storage or cloud services.

Termite Attack Vectors

Attack vector

% of Termite incidents

Notes

Exposed Remote Access

50%

Weak RDP credentials or VPN exposure

Phishing & Credential Theft

25%

Email-based credential harvesting campaigns

Supply Chain/Partner Access

15%

Compromised software vendor accounts or MSP access

Unpatched Vulnerabilities

10%

Exploitation of known application CVEs

Powered By WP Table Builder
Case Outcomes

Blue Yonder attack caused operational disruption affecting retail logistics chains globally. Starbucks reported payroll system disruptions affecting 8,000+ employees. Sainsbury’s and Morrisons experienced warehouse management delays affecting grocery supply. Recovery timelines ranged from 2–4 weeks post-incident. Blue Yonder reported ransom demand estimated at multi-million-dollar range; settlement terms remain confidential.

How to Remove Termite Ransomware?

Immediately isolate infected systems and network shares from accessible networks using air-gapping or network segmentation. Identify all compromised user accounts and reset credentials with complex passwords. Preserve all forensic evidence of infection including encryption logs, file modification timestamps, and network traffic. Restore encrypted files from clean backup copies predating the infection. Scan all systems for secondary malware, persistence mechanisms, or backdoors planted by attackers.

How to Recover from Termite Ransomware?

Restore all encrypted files from verified clean backup repositories created before encryption began. Rebuild user credentials and implement multi-factor authentication on all accounts and remote access services. Deploy endpoint detection and response (EDR) solutions with focus on detecting lateral movement via SMB shares and file encryption activity. Implement network segmentation to restrict access to shared resources only to authorized users. Enforce data loss prevention (DLP) to monitor for suspicious bulk file transfers. Maintain immutable offline backup copies to prevent future encryption of recovery points.

Ransom Amounts

Termite demands range from $1,000,000 to $10,000,000+ depending on victim organization size and operational criticality. Supply chain management companies and retailers face the highest demands due to cascading impact on downstream customers. Blue Yonder ransom demand estimated at $5–10 million. Negotiated settlements typically reduce demands by 40–60%.

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What is Termite Ransomware?

Termite is a ransomware variant based on publicly leaked Babuk source code, emerging in late 2024. The group distinguishes itself by targeting critical supply chain and logistics software, particularly Blue Yonder (JDA Systems) platforms. Termite combines file encryption with data exfiltration and emphasizes operational impact through supply chain disruption. The group’s high-profile attack on Blue Yonder demonstrates capability to compromise major enterprises and affect millions of downstream customers and business operations.

Where is the Termite Gang Located?

The Termite threat actor’s geographic origin is unconfirmed but operational patterns suggest Eastern European operators with potential Russian-language affiliations. The group’s focus on English-language ransom notes and Western enterprises suggests awareness of international business operations. Law enforcement has not publicly attributed Termite to specific nation-states or geographic regions.

How Does Termite Ransomware Work?

Termite attacks follow a staged approach: Initial access via exposed remote desktop services (RDP) with weak credentials or phishing-based credential harvesting. Lateral movement across network shares using compromised domain credentials. Network reconnaissance using NetShareEnum() API to identify shared drives and network paths. Data exfiltration to attacker-controlled servers of sensitive files and databases. Encryption of files across the network using RSA-2048+AES-256, appending .termite extensions. Ransom note deployment in encrypted directories. Victim notification via Tor leak site publication and direct contact.

How Long Does a Termite Attack Take?

Termite campaigns typically span 3–7 days from initial access to encryption deployment, depending on network complexity. The group appears to conduct rapid lateral movement and encryption once credentials are obtained. Blue Yonder attack reconnaissance phase lasted approximately 2 weeks before encryption began. Encryption of large file volumes typically completes within 24–48 hours once deployment begins.

Can Termite Ransomware Be Decrypted?

No public decryption tools are available for Termite. The malware uses strong RSA-2048+AES-256 encryption with private keys held exclusively by the threat actor. Decryption requires ransom payment (with no guarantee of functionality) or restoration from clean backups. Some victims reported incomplete decryption despite ransom payment, suggesting deliberate key manipulation.

What Happens If You Pay the Termite Ransom?

Payment does not guarantee complete decryption or prevent data publication. The threat actor has demonstrated willingness to follow through on encryption key provision for verified ransoms, but data has been published despite payment in some cases. Payment increases likelihood of future targeting and demonstrates financial capability to the broader threat actor ecosystem.

How to Prevent Termite Infection?

Implement multi-factor authentication on all remote access services (RDP, VPN) and administrative accounts. Deploy endpoint detection and response (EDR) solutions with focus on detecting network share enumeration and SMB lateral movement. Conduct regular security awareness training focused on phishing recognition and credential security. Segment networks to restrict access to critical systems and shared drives only to authorized users. Implement data loss prevention (DLP) tools to monitor for suspicious bulk file transfers and exfiltration. Maintain offline, immutable backup copies to enable rapid recovery without ransom payment.

Termite Threat Checklist

– Reset all RDP, VPN, and remote access credentials immediately – Deploy multi-factor authentication on all administrative accounts – Audit SMB shares and restrict access to least-privilege users – Enable network segmentation between critical systems – Monitor for NetShareEnum API calls and SMB enumeration activity – Verify backup integrity and test offline restoration procedures – Implement EDR solutions on all endpoints with SMB monitoring – Engage incident response and law enforcement upon detection

Does Termite Target Specific Industries?

Termite demonstrates strong preference for supply chain, logistics, and enterprise resource planning (ERP) software companies. Blue Yonder (JDA Systems) targeting suggests focus on organizations managing retail logistics, warehouse management, and supply chain operations. Secondary targets appear to be large retailers and distributors with critical dependency on these systems.

What Made the Blue Yonder Attack Significant?

The Blue Yonder attack impacted 8,000+ Starbucks locations, UK supermarket chains serving millions of customers, and global retail logistics chains. The attack demonstrated Termite’s capability to cascade impact through supply chains affecting downstream customers. Retail disruption lasted 2–4 weeks, affecting payroll, inventory management, and customer operations globally. The attack raised awareness of supply chain ransomware risk and critical infrastructure vulnerability.