Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Termite ransomware recovery team on standby
Termite emerged in late 2024 using modified Babuk source code and made headlines by attacking Blue Yonder, a supply chain software provider serving hundreds of Fortune 500 companies. Do not attempt containment or decryption alone — isolate affected systems immediately and engage UnderDefense's incident response team.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Termite attack can make a huge difference and help you make a full recovery. Request 24/7 Termite ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Termite victims exhibit clear IOCs including .termite file extensions on all encrypted files, ransom notes titled “How To Restore Your Files.txt”, and evidence of lateral movement via network shares. The malware leverages legitimate administrative tools and network discovery mechanisms. Watch for suspicious use of NetShareEnum() API, network reconnaissance activity, and encryption of files across shared network paths.
Termite uses RSA-2048 for key exchange combined with AES-256 for file encryption. Each victim receives a unique encryption key generated server-side by the attackers. Encryption is performed file-by-file with the attacker's public key embedded in the malware.
Termite operates as a derivative ransomware variant based on publicly leaked Babuk source code. The group appears smaller than major RaaS operations, with attacks suggesting manual effort rather than automated affiliate deployment. Double extortion is standard: files encrypted while data is exfiltrated and listed on Termite's Tor-based site.
Primary leverage combines operational disruption (encryption of critical supply chain systems) with data publication threats. The group publishes victim data on a Tor leak site and threatens public disclosure or sale to competitors. Blue Yonder attack victims faced additional pressure due to cascading impact on retail customers and supply chains.
Termite targets large enterprises running Windows systems and network shares, with specific focus on supply chain management software (Blue Yonder/JDA systems). The group prioritizes operational impact and cascading customer disruption, selecting victims with mission-critical systems affecting downstream operations.
Ransom notes titled "How To Restore Your Files.txt" appear in encrypted directories containing victim-specific instructions, Tor onion site URLs for negotiation, and cryptocurrency wallet addresses. Notes reference Blue Yonder data breach and exfiltrated data volumes to increase pressure on victims.
No public decryption tool is available for Termite. The malware uses strong RSA-2048+AES-256 encryption with private keys held exclusively by the threat actor. Decryption requires ransom payment (with no guarantee of functionality) or restoration from clean backups.
Specific indicators include .termite file extensions on all encrypted files, “How To Restore Your Files.txt” ransom notes, evidence of NetShareEnum() API usage for network share discovery, and lateral movement across SMB shares.
File Extensions
All encrypted files append .termite extension (e.g., document.docx.termite, image.jpg.termite). The extension is consistent across all Termite attacks, facilitating identification.
Ransom Note Filenames
“How To Restore Your Files.txt” appearing in all encrypted directories. The filename is consistent across all Termite incidents.
Termite Hashes
Termite samples share code patterns with Babuk ransomware, reflecting the group’s use of leaked source code. Specific hash tracking requires binary analysis and threat intelligence feeds.
Termite Tools
Legitimate administrative tools: RDP, WinRM, PowerShell; network discovery utilities (NetShareEnum API); SMB enumeration; Cobalt Strike (suspected affiliate use); PsExec for lateral movement; data exfiltration utilities.
Most Common Red Flag (Commands)
PowerShell commands: Get-SmbShare, Get-NetShare, Get-ChildItem on network shares; NetShareEnum() API calls; SMB connection attempts across network segments; evidence of file compression for staging (7-Zip, WinRAR); bulk data transfers to external storage or cloud services.
Attack vector | % of Termite incidents | Notes |
Exposed Remote Access | 50% | Weak RDP credentials or VPN exposure |
Phishing & Credential Theft | 25% | Email-based credential harvesting campaigns |
Supply Chain/Partner Access | 15% | Compromised software vendor accounts or MSP access |
Unpatched Vulnerabilities | 10% | Exploitation of known application CVEs |
Blue Yonder attack caused operational disruption affecting retail logistics chains globally. Starbucks reported payroll system disruptions affecting 8,000+ employees. Sainsbury’s and Morrisons experienced warehouse management delays affecting grocery supply. Recovery timelines ranged from 2–4 weeks post-incident. Blue Yonder reported ransom demand estimated at multi-million-dollar range; settlement terms remain confidential.
Immediately isolate infected systems and network shares from accessible networks using air-gapping or network segmentation. Identify all compromised user accounts and reset credentials with complex passwords. Preserve all forensic evidence of infection including encryption logs, file modification timestamps, and network traffic. Restore encrypted files from clean backup copies predating the infection. Scan all systems for secondary malware, persistence mechanisms, or backdoors planted by attackers.
Restore all encrypted files from verified clean backup repositories created before encryption began. Rebuild user credentials and implement multi-factor authentication on all accounts and remote access services. Deploy endpoint detection and response (EDR) solutions with focus on detecting lateral movement via SMB shares and file encryption activity. Implement network segmentation to restrict access to shared resources only to authorized users. Enforce data loss prevention (DLP) to monitor for suspicious bulk file transfers. Maintain immutable offline backup copies to prevent future encryption of recovery points.
Termite demands range from $1,000,000 to $10,000,000+ depending on victim organization size and operational criticality. Supply chain management companies and retailers face the highest demands due to cascading impact on downstream customers. Blue Yonder ransom demand estimated at $5–10 million. Negotiated settlements typically reduce demands by 40–60%.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowTermite is a ransomware variant based on publicly leaked Babuk source code, emerging in late 2024. The group distinguishes itself by targeting critical supply chain and logistics software, particularly Blue Yonder (JDA Systems) platforms. Termite combines file encryption with data exfiltration and emphasizes operational impact through supply chain disruption. The group’s high-profile attack on Blue Yonder demonstrates capability to compromise major enterprises and affect millions of downstream customers and business operations.
The Termite threat actor’s geographic origin is unconfirmed but operational patterns suggest Eastern European operators with potential Russian-language affiliations. The group’s focus on English-language ransom notes and Western enterprises suggests awareness of international business operations. Law enforcement has not publicly attributed Termite to specific nation-states or geographic regions.
Termite attacks follow a staged approach: Initial access via exposed remote desktop services (RDP) with weak credentials or phishing-based credential harvesting. Lateral movement across network shares using compromised domain credentials. Network reconnaissance using NetShareEnum() API to identify shared drives and network paths. Data exfiltration to attacker-controlled servers of sensitive files and databases. Encryption of files across the network using RSA-2048+AES-256, appending .termite extensions. Ransom note deployment in encrypted directories. Victim notification via Tor leak site publication and direct contact.
Termite campaigns typically span 3–7 days from initial access to encryption deployment, depending on network complexity. The group appears to conduct rapid lateral movement and encryption once credentials are obtained. Blue Yonder attack reconnaissance phase lasted approximately 2 weeks before encryption began. Encryption of large file volumes typically completes within 24–48 hours once deployment begins.
No public decryption tools are available for Termite. The malware uses strong RSA-2048+AES-256 encryption with private keys held exclusively by the threat actor. Decryption requires ransom payment (with no guarantee of functionality) or restoration from clean backups. Some victims reported incomplete decryption despite ransom payment, suggesting deliberate key manipulation.
Payment does not guarantee complete decryption or prevent data publication. The threat actor has demonstrated willingness to follow through on encryption key provision for verified ransoms, but data has been published despite payment in some cases. Payment increases likelihood of future targeting and demonstrates financial capability to the broader threat actor ecosystem.
Implement multi-factor authentication on all remote access services (RDP, VPN) and administrative accounts. Deploy endpoint detection and response (EDR) solutions with focus on detecting network share enumeration and SMB lateral movement. Conduct regular security awareness training focused on phishing recognition and credential security. Segment networks to restrict access to critical systems and shared drives only to authorized users. Implement data loss prevention (DLP) tools to monitor for suspicious bulk file transfers and exfiltration. Maintain offline, immutable backup copies to enable rapid recovery without ransom payment.
– Reset all RDP, VPN, and remote access credentials immediately – Deploy multi-factor authentication on all administrative accounts – Audit SMB shares and restrict access to least-privilege users – Enable network segmentation between critical systems – Monitor for NetShareEnum API calls and SMB enumeration activity – Verify backup integrity and test offline restoration procedures – Implement EDR solutions on all endpoints with SMB monitoring – Engage incident response and law enforcement upon detection
Termite demonstrates strong preference for supply chain, logistics, and enterprise resource planning (ERP) software companies. Blue Yonder (JDA Systems) targeting suggests focus on organizations managing retail logistics, warehouse management, and supply chain operations. Secondary targets appear to be large retailers and distributors with critical dependency on these systems.
The Blue Yonder attack impacted 8,000+ Starbucks locations, UK supermarket chains serving millions of customers, and global retail logistics chains. The attack demonstrated Termite’s capability to cascade impact through supply chains affecting downstream customers. Retail disruption lasted 2–4 weeks, affecting payroll, inventory management, and customer operations globally. The attack raised awareness of supply chain ransomware risk and critical infrastructure vulnerability.