Termite Ransomware Operators

Also known as: Termite Ransomware Operators

The Termite ransomware strain has been observed since April 2024. Researchers have noted considerable code and behavioral overlaps between the Babuk ransomware and Termite.[Infosecurity Magazine December 9 2024] Actors using Termite have attacked organizations in various sectors and locations, publicly extorting some victims on a dark web “data leak” site since November 2024.[GitHub ransomwatch] News reports linked a series of attacks in late 2024, which exploited vulnerabilities in Cleo managed file transfer (“MFT”) software, to Termite ransomware operators.[DarkReading Termite Cleo December 10 2024]

Introduction

The Termite ransomware strain has been observed since April 2024. Researchers have noted considerable code and behavioral overlaps between the Babuk ransomware and Termite.[Infosecurity Magazine December 9 2024] Actors using Termite have attacked organizations in various sectors and locations, publicly extorting some victims on a dark web “data leak” site since November 2024.[GitHub ransomwatch] News reports linked a series of attacks in late 2024, which exploited vulnerabilities in Cleo managed file transfer (“MFT”) software, to Termite ransomware operators.[DarkReading Termite Cleo December 10 2024]

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Dark DDoSeR:
  • DarkRat:
  • Xploit:
  • Archelaus Beta:

Attribution and Evidence

Information pending cataloguing.

References

[1] [Infosecurity Magazine December 9 2024 [2] [GitHub ransomwatch [3] [DarkReading Termite Cleo December 10 2024