Skip to main content
close search
site logo
Dive Brief

Blue Yonder investigating data leak claim following ransomware attack

The software supply chain company is widening its investigation after Termite ransomware leaked data it claims is linked to the attack.

Published Dec. 9, 2024
David Jones's headshot
Reporter
Finance chiefs can achieve supply chain security, risk mitigation, and even happy customers by collaborating with their logistics and procurement teams.
Getty Images via Getty Images

Dive Brief:

  • Blue Yonder on Friday acknowledged it is investigating claims by a public threat group linked to the November ransomware attack. 
  •  An emerging threat group dubbed Termite ransomware claimed credit for the Nov. 21 attack, saying it has 680GB of Blue Yonder data. Security researchers from Arctic Wolf said the claim was posted on a leak site that has only been in operation since October. 
  • Blue Yonder – which initially described the attack as ransomware – said it is working closely with outside forensic experts to address the claims. Its investigation into the attack is ongoing, the company said. 

Dive Insight:

While it is unclear whether Termite ransomware is an offshoot of a prior group, researchers from Broadcom said the group appears to use a modified version of Babuk ransomware

Termite ransomware uses a double extortion method, extorting victims for a decryptor in order to prevent the release of stolen data, researchers from Kroll found.

Kroll researchers observed Termite use a watering hole attack method that relied on malicious ad software, according to Laurie Iacono, associate managing director, cyber risk at Kroll. 

“In the case Kroll observed, the user was infected with the information stealing malware, Red Line Stealer, to collect credentials,” Iacono said via email. “Ransomware was deployed inside a VMware ESXi environment."

It is not known whether any of these techniques were used in connection with the Blue Yonder attack.

Blue Yonder said it has notified customers that were impacted by operational disruptions and has been working with them throughout the process of restoration. On Friday, U.K.-based supermarket chain Morrisons, told Cybersecurity Dive that it had restored normal operations and that its internal backup systems were online.

Morrisons, which has about 500 stores across the U.K., said the attack disrupted the company’s warehouse management system for produce and fresh food. 

Starbucks was impacted, too, and had to revert to manual scheduling after a Blue Yonder platform it uses to keep track of employee hours was disrupted by the attack.

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Rumpke Data Breach Investigation
From Migliaccio and Rathod
December 11, 2024
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Why Cybersecurity Leaders Trust the MITRE ATT&CK Evaluations
From Cynet Security
December 05, 2024
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.