Supply chain software giant Blue Yonder said it is investigating allegations of data theft after a ransomware gang threatened to release large amounts of data stolen from the company.
Blue Yonder, an Arizona-based company that provides supply chain management software to thousands of organizations including DHL, Starbucks and Walgreens, was attacked on November 21st. The company said at the time that it was a “ransomware incident,” but declined to confirm. Who was behind the attack?
On Friday, the Termite ransomware group claimed responsibility for an attack on a leaked dark web site. In a post seen by TechCrunch, the criminal organization claims to have stolen 680 gigabytes of data from Blue Yonder, including documents, reports, insurance forms, and email lists, which Termite claims will be used for “future He said he intended to use it for “attacks.”
In a statement to TechCrunch, Blue Yonder spokesperson Marina Renneke said the company “is aware of who claimed responsibility.”
“We are aware of claims that unauthorized third parties have obtained certain information from our systems,” Reneke said. “We are working diligently with external cybersecurity experts to address these allegations. The investigation is ongoing.”
The Termite ransomware gang first emerged earlier this year. Security experts believe the group is a rebrand of the notorious Russia-linked ransomware group Babak, which carried out more than 65 attacks and received $13 million in ransoms, according to the U.S. Department of Justice. That's what it means.
Threat intelligence firm Cyble noted similarities between Termite and Babuk ransomware, and security researchers at Broadcom observed that the group was using a modified version of Babuk ransomware.
Termit is a dark web leak site where the gang lists six other victims and threatens to release data allegedly stolen from Blue Yonder “soon.” It's unclear whether the company was asked to pay a ransom, and Blue Yonder declined to say when asked by TechCrunch.
Blue Yonder also declined to say how much and what type of data was stolen, but did not dispute Termite's claims when asked.
Blue Yonder updated its cybersecurity incident page on Friday, saying it had “notified customers affected by the business interruption and has been working with them throughout the recovery process.”
It's still unclear how many of Blue Yonder's more than 3,000 customers were affected by the incident. British supermarket chains Morrisons and Sainsbury's previously confirmed to TechCrunch that they too were affected, and US coffee giant Starbucks suffered a ransomware attack that forced managers to manually calculate employee salaries. He said he was forced to do so.