Ransomware Intelligence

termite

Ransomware group profile

36Victims
RussiaSource country
85Impact score

Description

Termite is a ransomware group known for utilizing advanced encryption techniques to target organizations and demanding high ransoms for decryption keys. The group employs stealthy operations and exploits various vulnerabilities to gain access to crucial files, focusing particularly on disrupting supply chain operations.

Key insights

  • Termite uses double extortion tactics, combining file encryption with data exfiltration.
  • The group is known to leverage phishing emails and software vulnerabilities for initial access.
  • Termite's ransomware appends a '.termite' extension to encrypted files and drops a ransom note named 'How To Restore Your Files.txt'.
  • The operation has been linked to a threat actor tracked as Velvet Tempest (DEV-0504).
  • Termite targets high-value sectors, including supply chain and healthcare.
  • The group is recognized for sophisticated encryption algorithms like ChaCha20.
  • Indicators of compromise include sudden system performance degradation and unauthorized access alerts.

Industries

EducationFinancial ServicesGovernment & DefenseHealthcareHospitalityManufacturingOtherProfessional ServicesRetail & E-CommerceTechnologyTransportation

Threat Level & Status Breakdown

For termite · Based on incidents in selected period

3.3threat level
Aggressiveness5/ 10
Lethality0/ 10
Criticality5/ 10

Status Breakdown

Claimed100.0%36
First seenSep 2025
Last seenJun 2026
Avg ransom
Payment rate
Statusactive
Sophistication0
Last updatedJun 23, 2026

Recent activity

Monthly attack count for termite in the selected period

36Total attacks
9peak in Feb
5.1avg / month
↑ 2 vs first month
SepDecFebMarAprMayJun036912

Intelligence

IOCs, YARA/Sigma rules, and related families for termite

  1. e8596675fef4ad8378e4220c22f4358fdb4a20531b59d7df5382c421867520a9
  2. 5006ad8ba0cc6d68626fa7789a62f8256c5f28a7a86903b60ef203d16944df99
  3. bd3f6b878284a63c72e8354e877e3f48d6fca53c
  4. 82f194e6baeef6eefb42f0685c49c1e6143ec850
  5. bc4b9d0dd359b09918b6c1095823a75b
  6. 7d8c4c742689c097ac861fcbf7734709fd7dcab1f7ef2ceffb4b0b7dec109f55
  7. cf9b6dda84cbf2dbfc6edd7a740f50bddc128842565c590d8126e5d93c024ff2
  8. 9ab05651daf9e8bf3c84b14613cd98e8479018bbcf3543521e94458012eba96e
  9. 5870a3adbce9737319f3c9461586d5f2afbc7adb
  10. 5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4
  11. e48cf17caffc40815efb907e522475722f059990afc19ac516592231a783e878
  12. 20a04e7fc12259dfd4172f5232ed5ccf
  13. 79d6e498e7789aaccd8caa610e8c15836267c6a668c322111708cf80bc38286c
  14. f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb
  15. 9349e1cc3de7c7f6893a21bd6c3c4a6b
  16. fba7180ad49d6a7f3c60c890e2784704
  17. 9ef90ec912543cc24e18e73299296f14cb2c931a5d633d4c097efa372ae59846
  18. f8890477e760cdb8f4a4fdbf8e8b5b1a224bc87046875b9ee17a9fcb93d2f118
  19. ed1548744db512a5502474116828f75737aec8bb11133d5e4ad44be16aa3666b
  20. 8c69830a50fb85d8a794fa46643493b2
  21. 94f73b5dc06ba6705fcef3e759413a747049c2949a0c2e44afc03b2f9989cf73
  22. f7af51f1b2b98b482885b702508bd65d310108a506e6d8cef3986e69f972c67d
  23. c8f75487d0d496a3746e6c81a5ecc6dc
  24. 7afe492a38ca6f27e24028aab68406b5
  25. a243ce234fc8294e2e2e526418b4eaadc2d6c84f
  26. f561f9e3c949fe87f12dbfa166ffb2eb85712419
  27. 21807d9fcaa91a0945e80d92778760e7856268883d36139a1ad29ab91f9d983d
  28. 37c320983ae4c1fd0897736a53e5b0481edb1d1d91b366f047aa024b0fc0a86e
  29. c3804d1329b55a37bfa2f835e1e9bbc7bdb2b260f8e3627c06e02c9f52685d44
View full IOC feed500 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for termite

CVE-2024-55956
CVE-2024-50623
Other

T1486

T1486

T1490

T1490

T1021

T1021

T1562

T1562

T1078

T1078

T1059

T1059

T1547

T1547

T1021.001

T1021.001

T1110

T1110

T1203

T1203

T1040

T1040

T1080

T1080

Victims(36)

CompanyDomainCountryIndustryStatusDiscovered
https://calfresh.ca.gov/US United StatesGovernment & Defense
Claimed
16 days ago
https://www.wieseusa.com/US United StatesOther
Claimed
17 days ago
https://www.rolandmachinery.com/US United StatesManufacturing
Claimed
17 days ago
Cal Freshcalfresh.ca.govCA CanadaOther
Claimed
16 days ago
Roland Machineryrolandmachinery.comAU AustraliaManufacturing
Claimed
17 days ago
Wiese USAwieseusa.comUS United StatesManufacturing
Claimed
17 days ago
https://www.imminet.com/US United StatesManufacturing
Claimed
27 days ago
Indiana Mills and Manufacturingimminet.comUS United StatesManufacturing
Claimed
26 days ago
https://www.uei.edu/US United StatesEducation
Claimed
28 days ago
UEI Collegeuei.eduUS United StatesEducation
Claimed
26 days ago
https://www.ramarfoods.com/US United StatesManufacturing
Claimed
about 1 month ago
RAMAR FOODS INTERNATIONALramarfoods.comUS United StatesOther
Claimed
about 1 month ago
Millennium Dental Technologieslanap.comUS United StatesHealthcare
Claimed
2 months ago
https://www.lanap.com/US United StatesHealthcare
Claimed
2 months ago
https://www.nollandtam.com/US United StatesProfessional Services
Claimed
3 months ago
Noll and Tam Architectsnollandtam.comUS United StatesOther
Claimed
3 months ago
https://www.cityofhuntington.com/US United StatesGovernment & Defense
Claimed
4 months ago
City of Huntingtoncityofhuntington.comUS United StatesGovernment & Defense
Claimed
4 months ago
https://www.bartramtrail.net/US United StatesOther
Claimed
4 months ago
Bartram Trail Surveyingbartramtrail.netUS United StatesProfessional Services
Claimed
4 months ago

Page 1 of 2

Affected countries(19)

Countries where this group has been reported to target or leak victims.

🇦🇺Australia🇧🇪Belgium🇧🇬Bulgaria🇧🇷Brazil🇨🇦Canada🇨🇾Cyprus🇩🇪Germany🇫🇷France🇬🇧United Kingdom🇮🇪Ireland🇯🇵Japan🇲🇬Madagascar🇳🇱Netherlands🇳🇴Norway🇴🇲OmanRéunion🇸🇪Sweden🇸🇳Senegal🇺🇸United States