Termite ransomware is the latest ransomware variant to emerge in the threat landscape, with its first victims reported in early November 2024. The group behind Termite has quickly targeted multiple organizations across a wide range of industries, successfully impacting victims in various countries, as revealed through their leak sites over the past few weeks.
‍
Key Highlights

‍Characteristics: While Termite ransomware campaigns are still under observation, initial findings reveal several key characteristics:

• First observed: November 2024.
• Targeting focus: Victims span diverse industries and countries, suggesting opportunistic behavior.
• Emerging threat: Tactics, techniques, and procedures (TTPs) are still being observed and analyzed.
• File extension: Uses the .termite extension for encrypted files.
• Leak sites: Hosted on .onion domains accessible via the TOR browser.

Targeted Industries:
‍The threat actors deploying Termite ransomware have not exhibited a clear preference for specific industries in its early activity. Victims identified so far span diverse sectors, including Education, Energy, Government, Healthcare, Public, Consumer Services, and Manufacturing, indicating a broad and adaptable targeting approach.

Global Insights:
Termite attacks have appeared in multiple countries. Victim organizations have been identified in the United States, France, Canada, Oman, and Germany, highlighting the group’s adaptability and willingness to operate across diverse geographic regions.

initial Access:
Threat actors deploying Termite ransomware have been observed leveraging compromised user accounts to gain initial access to target environments. These attacks often target remote access systems, exploiting weak security configurations or the absence of multifactor authentication (MFA) to infiltrate networks.

Encryption Method:
Capable of targeting VMware environments by encrypting virtual machine disks (VMDK files) across ESXi hosts. Threat actors gain control via vCenter, enabling SSH access on ESXi hosts and executing an encryption executable on each host. Active Directory integration is often exploited to gain access to and take control of ESXi hosts.

Protecting Against Termite Ransomware:
Ransomware remains one of the most disruptive threats facing organizations today, making proactive defense measures essential. While the tactics and techniques of individual groups vary, consistent security practices can mitigate the risk of falling victim to these attacks.

The following are foundational recommendations organizations can implement to defend against Termite ransomware and other threats: ‍

• Review External-facing Attack Surface – Attack groups, such as Termite, often achieve the most success by targeting external-facing infrastructure like Citrix and VPNs. To mitigate this risk, ensure that Multifactor Authentication (MFA), as detailed below, is implemented. Additionally, adopt a least-privilege access model to limit the blast radius in the event a threat actor gains access.
• Maintain Offline Backups – Regularly back up critical data and store backups offline to prevent encryption by ransomware. Local backup copies and management servers should be segmented, not tied into Active Directory (AD), and stored on hardened operating systems with strong, unique passwords. Backups should also be immutable to prevent tampering. Similarly, offline or cloud backups must utilize immutability features and separate, robust credentials to safeguard against unauthorized deletion.
• Deploy Endpoint Detection and Response (EDR) – Ensure EDR solutions are monitored and responded to 24/7 to detect suspicious activity and mitigate the risk of an intrusion escalating into an enterprise-wide ransomware incident.
• Prioritize Patch Management – Address unknown vulnerabilities to reduce the risk of exploitation.
• Implement Multifactor Authentication (MFA) – Ensure MFA and strong access controls are in place to secure accounts and systems.

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.