Termite ransomware gang claims responsibility for Blue Yonder cyber attack

Ransomware concept image showing skull and cross bones on a computer chip sitting on a circuit board.
(Image credit: Getty Images)

The Termite ransomware gang has claimed responsibility for the recent cyber attack on supply chain SaaS vendor Blue Yonder.

The November attack caused disruption at a host of Blue Yonder's customers, including Starbucks and UK grocery stores such as Sainsbury's and Morrisons.

Starbucks was forced to pay staff manually, while Morrisons experienced problems with its warehouse management systems.

The attack has now been claimed by the Termite gang, which has added Blue Yonder to its data leak site. The group claims to have stolen 680GB of data, including more than 16,000 email lists that it plans to use for future attacks, and more than 200,000 insurance documents.

Termite is a relatively new ransomware gang, according to recent analysis from Cyjax, and has only recently begun adding victims to its leak site.

"To date, it has added just seven companies in total - three of which are confirmed attacks," said Rebecca Moody, head of data research at Comparitech.

"As well as this one on Blue Yonder, it claimed an attack in October on Canada's French language school, Conseil Scolaire Viamonde, and one in November 2024 on the government of Réunion. Both of these entities also suffered system disruption as well as data theft."

Blue Yonder said it was working to restore systems, with some of the affected customers brought back online and others on the path to recovery. It has hardened its defensive and forensic protocols since the incident, the company revealed.

"After the recent ransomware attack, Blue Yonder worked with external cybersecurity firms and strengthened our defensive and forensic protocols,” Blue Yonder stated in its latest update.

“We have notified customers who were impacted by operational disruptions and have been working with them throughout the restoration process.

"We are aware that an unauthorized third party claims to have taken certain information from our systems. We are working diligently with external cybersecurity experts to address these claims. The investigation remains ongoing."

According to Broadcom, Termite appears to be using a modified version of Babuk ransomware, which, when executed on a machine, encrypts targeted files and adds a .termite extension. It also drops a ransom note - How To Restore Your Files.txt - onto its victims' encrypted systems.

RELATED WHITEPAPER

Broadcom said the attackers probably gained access via phishing, vulnerabilities, or purchased credentials and escalating privileges to take control of networks.

Blue Yonder has yet to confirm whether it’s received a ransom demand from the group.

"At the moment, it's unclear what ransom is being demanded by Termite, but the fact it's publishing Blue Yonder on its data leak site suggests that any potential negotiations have failed - for the data theft, at least," commented Moody.

"Due to the disruptions noted, Termite likely carried out a double-extortion attack on Blue Yonder by encrypting systems and stealing data."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.