Analytics Story: Termite Ransomware

Date: 2025-04-01 ID: 3dec6aec-3d1a-44f0-affc-31bb201eaec5 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Termite Ransomware is a malicious software strain that recently targeted the supply chain management platform Blue Yonder. It is a sophisticated threat that employs a multi-stage attack strategy. It typically initiates infection via phishing campaigns or compromised websites, exploiting system vulnerabilities to gain access. Once inside the network, Termite Ransomware escalates privileges and deploys robust encryption algorithms to lock down critical files, rendering them inaccessible. A ransom note is then left, instructing victims to pay, even though payment does not guarantee data recovery. The malware is engineered with defense evasion techniques, such as anti-analysis and anti-virtual machine features, complicating detection and forensic analysis.

Why it matters

Termite Ransomware is a malicious software strain designed to infiltrate computer systems, encrypt files, and demand ransom payments from victims. Like a colony of termites silently eating away at wood, this ransomware spreads stealthily, often spreading through phishing emails, malicious attachments, or exploit kits. Once activated, Termite Ransomware locks critical files using strong encryption, rendering them inaccessible to users. Victims typically receive a ransom note demanding payment—usually in cryptocurrency—to regain access to their files. However, paying the ransom does not guarantee file recovery, and it often funds further cybercrime. To mitigate risks, users should maintain regular backups, avoid suspicious links, and employ robust security measures such as antivirus software and endpoint protection. Cybersecurity experts recommend not paying the ransom and instead seeking professional assistance to attempt data recovery.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Common Ransomware Extensions Data Destruction TTP
Common Ransomware Notes Data Destruction Hunting
Deleting Shadow Copies Inhibit System Recovery TTP
High Process Termination Frequency Data Encrypted for Impact Anomaly
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Windows Security And Backup Services Stop Inhibit System Recovery TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7036 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1