sierra-chatbot-shape2

Termite Ransomware

Under attack by ransomware or suffering a cyber breach?

Speed is critical when facing a live cyber attack. If you believe you’ve been compromised, by the Termite ransomware group or another threat actor - contact us immediately.

Under attack? Call us
Get in touch

About Termite ransomware group

Emerging in recent years, Termite ransomware has quickly established itself as a disruptive ransomware group, targeting organisations across multiple industries and regions. Known for its aggressive encryption process and double extortion tactics, Termite ransomware encrypts critical files and exfiltrates sensitive data, demanding ransom payments to prevent public exposure via a Tor-based data leak site.

What we can help with:

  • Encrypted files & ransomware data recovery
  • Incident response and containment
  • Secure data restoration and system recovery
  • Use of ransomware decryption tools and data recovery software
  • Development of incident response plans and disaster recovery solutions
  • Post-incident reviews and security hardening

Request a call back

If your organisation has been infected with ransomware contact us immediately.

How Termite operators work

Termite ransomware is a sophisticated ransomware group that has been linked to multiple high-profile cyberattacks. It has targeted government agencies, disability support services, supply chain management solutions, and major companies across various sectors. The group uses a modified version of known malware, including tactics similar to Babuk ransomware, to infiltrate and compromise systems.

Termite ransomware attacks typically begin with initial access gained through compromised websites, phishing emails, or third-party service providers. Once inside, the attackers enumerate network shares and connected devices, deploying ransomware across network drives to encrypt files and steal sensitive data.

The group’s branding includes a blue stylised termite integrated into circuit-like pathways, prominently displayed on their Tor-based website and ransom notes. Victims are presented with a support token and directed to negotiate ransom payments, often in cryptocurrency.

We are equipped to deal with an attack from any ransomware group.

Don’t hesitate to contact us if you are under attack from a ransomware group not listed above. 

Under attack? Call us

Recognising a Termite attack

Termite ransomware typically gains initial access through phishing, compromised websites, third-party providers, or unpatched software vulnerabilities. Once inside, attackers move laterally, scan network shares, and deploy the ransomware across as many systems as possible.

The malware uses advanced encryption to lock critical files, targeting sensitive data, source code, and system files across connected devices. Following a double extortion model, Termite also exfiltrates data to pressure victims into paying to prevent leaks.

Recovery is hindered by the disabling of system restore functions. Exfiltrated data is staged on external infrastructure to avoid detection, with frequent targeting of sectors like automotive, oil and gas, water treatment, and consumer products.

Why you must not interfere with your ransomware environment

If you discover a physical break-in at your offices, your first instinct would be to call the police; touch nothing and let them search for clues. Then, your focus would shift to restoring business operations.

A cyber-attack requires the same approach. Your digital environment is a CRIME SCENE. It is crucial to leave the environment untouched to allow for a forensic investigation.

This is not a task for your IT team or MSP. Digital Forensic specialists are available 24/7 to assist you, just like in a physical crime.

description Sector Date Discovered Attack Date Country Screenshot
Ramar Foods is a leading manufacturer and distributor of Filipino frozen food products, established in 1969. The company is committed to bringing the flavors of the Philippines to consumers through its portfolio of brands, which include iconic offerings like Magnolia, Orientex, Manila Gold, and Frescano. Agriculture and Food Production 16/05/2026 06:54 PM 12/05/2026 09:53 AM US
Founded in 1994 and Headquartered in Cerritos, California. Millennium Dental Technologies, Inc manufactures and distributes dental products. It offers PerioLase MVP-7, a laser designed especially for laser periodontal therapy that performs soft and hard tissue laser procedures. Healthcare 17/04/2026 04:34 PM 16/04/2026 10:46 PM US
Noll & Tam Architects specializes in creating innovative architectural designs that serve the common good. Their projects range from community centers and libraries to veterinary hospitals and educational facilities, emphasizing sustainability and empathy in their approach. Construction 17/03/2026 12:20 AM 16/03/2026 11:51 PM US
Founded in 1871, the City of Huntington is located in western West Virginia. It is the county seat of Cabell County and also stretches into Wayne County. Public Sector 07/03/2026 12:25 AM 06/03/2026 10:32 PM US
Bartram Trail Surveying, Inc. is a Florida licensed land surveying company that specializes in providing accurate and precise land surveying services across the state. Utilizing state-of-the-art technology, including drone surveying, LiDAR, and GIS, they cater to builders, engineers, and clients involved in land development projects. Business Services 03/03/2026 02:21 AM 03/03/2026 01:05 AM US
Founded in 1852 Mercy Hospital and Medical Center is a member of Trinity Health. They are a teaching hospital headquartered out of Chicago, Illinois. Healthcare 28/02/2026 01:21 AM 02/09/2025 12:00 AM US
Jones, Haber & Rollings is a multi-service law firm based in Cape Coral, Florida, with over 75 years of combined legal expertise. Established in 1988, the firm provides comprehensive legal counsel across various practice areas throughout the state of Florida. Business Services 25/02/2026 02:30 PM 24/02/2026 10:03 PM US
Siskiyou Telephone is a rural independent service provider serving Western Siskiyou County, California, since 1896. The company offers high-speed internet packages with speeds up to 1000 Mbps and telephone services, catering to both residential and business clients. Telecommunication 25/02/2026 02:29 PM 24/02/2026 10:35 PM US
The Birmingham Museum of Art in Alabama features a vast collection of over 27,000 artworks and offers free admission to visitors. The museum is open from Tuesday to Sunday and hosts various exhibitions and events throughout the year. It serves a diverse audience, including families, students, and art enthusiasts, providing educational resources and opportunities for engagement. Education 25/02/2026 12:53 AM 24/02/2026 11:56 PM US
Founded in 1852 Mercy Hospital & Medical Center is a member of Trinity Health. They are a teaching hospital headquartered out of Chicago, Illinois Healthcare 24/02/2026 11:08 PM 02/09/2025 12:00 AM US
Family Health Centers of Southern Indiana offers quality healthcare services to low-income, underinsured, and uninsured residents in Jeffersonville, New Albany, Corydon, and Clarksville. Their dedicated team of board-certified physicians and nurse practitioners provides a wide range of primary health care services, including a mobile dental unit. The organization emphasizes care for Healthcare 02/02/2026 10:44 PM 02/02/2026 09:01 PM US
Hermes Medical Solutions is a leader in molecular imaging software, offering an innovative suite designed for faster and more personalized diagnostics and therapies in the fields of nuclear medicine and molecular imaging. Their all-in-one software, Hermia, integrates various medical imaging modalities and advanced dosimetry tools, making it suitable for diverse clinical specialties. Healthcare 25/12/2025 01:40 AM 11/05/2023 05:47 PM SE
MedHelp Birmingham provides urgent and primary care services in the Birmingham area, welcoming walk-in patients. Their offerings include a Long COVID clinic, wellness therapies, and specialized services such as Lyme Disease treatment and gynecology care. Healthcare 17/12/2025 10:20 PM 17/12/2025 09:44 PM US
News-Press & Gazette Company publishes daily newspapers and weekly publications. It provides cable, internet, and digital telephone services, as well as commercial printing services, such as Web and sheet-fed services. In addition, it operates television and radio stations. It was established in 1845 and is headquartered in St. Joseph, Missouri. Consumer Services 29/09/2025 11:23 PM 29/09/2025 10:16 PM US
News-Press & Gazette Company publishes daily newspapers and weekly publications. It provides cable, internet, and digital telephone services, as well as commercial printing services, such as Web and sheet-fed services. In addition, it operates television and radio stations. It was established in 1845 and is headquartered in St. Joseph, Missouri. Telecommunication 26/09/2025 05:48 PM 26/09/2025 05:09 PM US
News-Press & Gazette Company publishes daily newspapers and weekly publications. It provides cable, internet, and digital telephone services, as well as commercial printing services, such as Web and sheet-fed services. In addition, it operates television and radio stations. It was established in 1845 and is headquartered in St. Joseph, Missouri. Telecommunication 26/09/2025 04:58 PM 26/09/2025 03:53 PM US
News-Press & Gazette Company publishes daily newspapers and weekly publications. It provides cable, internet, and digital telephone services, as well as commercial printing services, such as Web and sheet-fed services. In addition, it operates television and radio stations. It was established in 1845 and is headquartered in St. Joseph, Missouri. Consumer Services 26/09/2025 03:53 PM 26/09/2025 03:04 PM US
News-Press & Gazette Company publishes daily newspapers and weekly publications. Telecommunication 16/09/2025 12:47 AM 16/09/2025 12:03 AM US
LGM, filiale du Groupe LGM, accompagne ses clients dans lamélioration de la performance en conception, production, exploitation et maintenance. Manufacturing 05/05/2025 10:14 PM 29/04/2025 11:05 PM FR
Ushio is a world market leader for speciality lighting, from ultraviolet to infrared and everything in between. Manufacturing 29/04/2025 09:40 PM 28/04/2025 09:10 PM JP
Bjorklund Norge AS was founded in 1992. The Company's line of business includes the wholesale distribution of jewelry, precious stones and metals, costume jewelry, watches, clocks, and silverware. Consumer Services 12/04/2025 12:25 AM 11/04/2025 11:43 PM NO
Provider of information technology services focused on digital transformation for enterprises. The company specializes in offering small and medium enterprises managed services, data analysis with Power BI, digital project management, technical training and IT support services, thereby enabling companies to modernize and uncomplicate their processes and offer technological support. Technology 11/04/2025 12:48 AM 10/04/2025 11:38 PM BE
Perrigo, founded in 1887 and headquartered in Dublin, Ireland, is a global healthcare supplier and manufacturer of private label over-the-counter pharmaceuticals. Healthcare 14/03/2025 10:20 PM 14/03/2025 08:40 PM IE
London Belgravia Brokers provide risk insurance and finance advisory solutions to global property developers, investors and high net worth individuals. Financial Services 25/02/2025 10:54 PM 19/02/2025 12:19 AM GB
National Legal Service are a leading Criminal, Family and Child Care firm conducting both private and legal aid work to a diverse client base. Business Services 25/02/2025 10:53 PM 19/02/2025 12:44 AM GB
Founded in 1761, Rooks Rider Solicitors is a boutique law firm specializing in corporate law, real estate, and wealth planning, with a strong international reach. The firm focuses on providing personalized legal services, ensuring that their clients receive tailored solutions for their individual needs. Their expertise extends across various areas including dispute resolution, employ Business Services 25/02/2025 10:51 PM 19/02/2025 12:47 AM GB
Arc & Co. was formed in 2007, concentrates on financing Property, Marine and Aviation assets. Financial Services 25/02/2025 10:50 PM 19/02/2025 12:49 AM CA
Founded in 1984, Genea is a reproductive and fertility treatment and care facility. The company is headquartered in Sydney, New South Wales Technology 25/02/2025 10:48 PM 24/02/2025 09:32 PM AU
Ligentia provides freight forwarding and supply chain management solutions. The company was founded in 1996 and is headquartered in Leeds, United Kingdom Transportation/Logistics 19/02/2025 11:58 PM 19/02/2025 11:17 PM GB
CESI is a private French higher education and vocational training group specialising in training engineers, managers, technicians and supervisors. Education 11/02/2025 09:55 PM 11/02/2025 08:41 PM FR
Zschimmer and Schwarz, a family owned business founded in 1894, with headquarters in Lahnstein, Germany, develops and produces high performance chemical auxiliaries for the leather, ceramic, textile or fiber, personal care, lubricant, polymer, and phosphonate industries or markets. Manufacturing 30/01/2025 01:21 AM 30/01/2025 01:20 AM DE
Huntington Hotel Group was founded in 1998 by Kevin Keefer and Brent Andrus with the vision of developing and managing premium brand select service hotels in markets with high barriers to entry. Hospitality and Tourism 09/01/2025 12:29 PM 09/01/2025 12:28 PM US
Tharisa is an integrated resource group critical to the energy transition and decarbonisation of economies. It incorporates mining, processing, exploration, and the beneficiation, marketing, sales, and logistics of PGMs and chrome concentrates, using innovation and technology as enablers. Energy 17/12/2024 10:00 PM 17/12/2024 08:57 PM CY
Watsonville Community Hospital is community healthcare provider; a 106-bed facility that offers a comprehensive range of medical and surgical services to the culturally diverse tri-county area along California’s Central Coast. Healthcare 11/12/2024 09:07 PM 05/12/2024 06:14 PM US
Blue Yonder Group, Inc. (formerly JDA Software Group) is an American supply chain management company operating as an independent subsidiary of Panasonic. Founded in 1985, the company is headquartered in Scottsdale, Arizona, with offices globally. Its acquisitions have included Yantriks, RedPrairie, i2 Technologies, Manugistics, E3, Intactix, and Arthur Technology 06/12/2024 11:59 AM 06/12/2024 11:13 AM US
La Réunion se situe au Sud de l’Océan Indien, entre l’île Maurice et Madagascar, à près de 9500km de la métropole et compte plus 850 000 habitants. Elle constitue à la fois un département et une région d'outre-mer français (DROM). Public Sector 20/11/2024 02:35 AM 14/11/2024 08:43 PM FR
The Conseil scolaire Viamonde is a public-secular French first language school board, and manages elementary and secondary schools in the Ontario Peninsula and the Greater Golden Horseshoe. Education 17/11/2024 07:36 PM 14/11/2024 08:38 PM CA
Die Bundesvereinigung Lebenshilfe e. V. ist ein 1958 gegründeter gemeinnütziger Verein. Sie versteht sich als Selbsthilfevereinigung, Eltern-, Fach- und Trägerverband, insbesondere für Menschen mit Behinderung und ihren Familien. Die Lebenshilfe unterstützt somit Menschen zur gleichberechtigten Teilhabe in der Gesellschaft. Healthcare 17/11/2024 07:35 PM 13/11/2024 12:01 AM DE
OQ, formerly known as Oman Oil Company, is an energy investment company headquartered in Muscat, Oman. Energy 17/11/2024 07:32 PM 12/11/2024 11:46 PM OM
Founded in 1936, Culligan Entreprises is a global water treatment company specializing in premium services and water treatment solutions. Business Services 17/11/2024 07:27 PM 26/04/2024 12:00 AM FR
Operating from 1987, Nifast is a specialist of fastening components and automobile parts with a broad business scope of vendor approval, sourcing, quality assurance and delivery. Manufacturing 17/11/2024 07:24 PM 12/11/2024 10:55 PM US
Known threat actors

Ransomware groups behind the attacks

Below is a breakdown of the most active ransomware groups and the variants driving their attacks.

Post breach actions

  • Call a NCSC Cyber Incident Response approved supplier Some NCSC providers will fund up to 48 hours of investigation into your incident.
  • Report the incident to Report Fraud
  • Locate your business continuity plan Work out what you can do without access to your systems and data.
  • Identify your business insurance contact details
Business woman contacting a Zensec ransomware recovery service

Who are we and what experience do we have in responding to cyber incidents?

We are accredited to ISO 27001 and recognised by the UK’s National Cyber Security Centre (NCSC).

We provide comprehensive cyber risk management services, with a core focus on Digital Forensics and Incident Response (DFIR). Our capabilities are driven by a 24/7 Security Operations Centre and a dedicated in-house intelligence team that delivers timely, actionable threat reporting.

With decades of collective cyber security experience, we have the expertise to assume operational ownership of your entire IT security architecture – simplifying and strengthening cyber security across your business.

As an Assured Service Provider for Cyber Incident Response (CIR) at the Standard Level. This accreditation demonstrates our ability to deliver high-assurance, effective support in response to a wide range of cyber threats.

Your NCSC-approved supplier is a specialist crime scene investigator who will:

  1. Isolate and preserve your environment for forensic investigation.
  2.  Identify where the data has been duplicated and issue a legal takedown order.
  3. Identify your data, application and systems restore points. These might be at different points in time and will need to be carefully restored and reconstructed in a pristine environment.
  4.  Liaise with your business insurance company and if needed, with the Police.
  5. Advise you on notifying your customers of your situation.
  6. Rebuild your systems, restore your data and get you back to full operation. Note: This process can take between 2 weeks – 2 months.

 

Working with us

Our response process

Our team are ransomware recovery specialists with a proven, streamlined approach to resolving incidents quickly and effectively.

Step 1: Triage

We deploy our incident response team the same day. From the first call, we begin onboarding, introduce key stakeholders, set communication schedules, and start gathering critical information to guide the response.

Step 2: Investigation

DFIR (Digital Forensic Incident Response) teams investigate breaches to identify vulnerabilities, attack vectors, and system impacts from ransomware such as Data Loss (PII). We deliver clear forensic insights to guide mitigation.

Step 3: Contain

Our onsite and remote teams act fast to stop the attack in its tracks. That includes isolating affected systems, removing malicious code, and putting protections in place to prevent further spread or damage.

Step 4: Remediate & Eradicate

Once contained, we work to fully eliminate the threat. This includes fixing exploited vulnerabilities, restoring systems to a secure state, and ensuring no traces of the attack remain.

Step 5: Recover

Our incident response teams help get your business back to normal. We restore access to systems, recover data, and ensure services are safe, stable, and functioning, with minimal downtime.

Step 6: Post Incident

We conduct a full review of the incident response and recovery efforts. Together we assess what happened, what worked, and what can be improved, helping you build stronger defences for the future.

Forensic analysis to drive recovery

Our process includes a thorough digital forensic analysis from step two where the output becomes a central component of business recovery. This is because understanding the attack is of critical importance:

  • Informing an initial infection date

  • The extent and spread of infection

  • Data exfiltration having an impact on regulatory positions

  • Ensuring that the attacker and any tooling or artefacts they leave behind are eradicated

It is critical that the analysis of digital evidence is carried out to an agreed plan.

Maximising early root cause discovery and legal leverage

The process is purpose-built to uncover the root cause as early as possible, which is essential to inform remediation / eradication and recovery as well as supporting a legal take-down case if this is applicable. A legal take-down means we can assist in the legal enforcement that stops the criminals from publishing the data, thus undermining the ransom notice.

Our Digital Forensic and Incident Response (DFIR) teams maintain consistent communication throughout. Dedicated Incident Managers and technical engineering leads provide updates during the Cyber Incident Response journey, utilising risk registers and working within change management processes, all from triage through to post-incident, delivering successful business recovery.

Key take aways

  • You will not be able to access your systems or data.
  • It is advised to disconnect from the internet and shut down your systems, including PCs, to prevent further infections.
  • Your Office 365 system might also be compromised, allowing the attackers to monitor your responses. Avoid communicating with individuals through your primary email or team systems.
  • Threat actors typically infiltrate your system at least 2-4 weeks before you become aware of the attack. Your data will have already been exfiltrated. If your system is encrypted, this was not an overnight event.
  • Ransom demands in the UK typically range from £500,000 to £3 million, with some sectors, like education, facing demands that exceed £5 million
  • Paying the ransom may violate financial sanctions, which is a criminal offence and could result in a custodial sentence or further financial penalties.
  • If your data is sold or published online, it puts your customers and staff at risk, potentially implicating you in a Data Protection breach.
  • You will need to submit a data takedown request to the initial location where the data was transferred.
  • Do not overwrite the encrypted data. It is crucial to determine when the infection began and where the data was sent.
  • Avoid rebuilding from the latest backup, as it is likely to be infected.

Why should I trust Zensec to do this work rather than my IT team?

A forensic analysis needs to be meticulous and a clean restore and recovery requires a wealth of experience not normally available in an in-house team who must provide a broader range of IT support skills:

Internal IT teams don’t have the necessary skill set to resolve security encryption issues themselves. 

IT teams may recover to the same position with indicators of compromise ready to do it again… which can lead to another breach.

Internal teams are pressured to restore business operations and may recover before forensic analysis even begins, potentially destroying the crime scene before completion.

Why choose us?
We can help

Frequently asked questions

Key information when you’re under pressure.

The average cost of ransomware breaches hover around £500K, while smaller email data breaches typically incur expenses of around £50K. A critical decision emerges between preserving the environment for forensic analysis or opting for swift recovery to minimise business disruption. Delays in identifying and resolving breaches only exacerbate costs. 

Cyber security insurance claims entail a multifaceted process, encompassing reasonable expenditures for investigation and remediation, alongside coverage for legal, business interruption, criminal liability, employment liability, and ransom policies. While the insurance industry plays a pivotal role in facilitating business recovery, cyber insurance is perceived as volatile within the sector, and many policies require meticulous validation. 

Facing genuine pressure, there's a crucial decision to make - one that could rescue your organisation from weeks of operational standstill, reputation damage, and client data loss. Yet, the probability of a favourable outcome remains slim, emphasising the importance of engaging a specialised ransomware incident response team. They are your most viable recourse for navigating a ransomware incident. 

The NCSC have documented the deliberations for paying ransomware: https://www.ncsc.gov.uk/ransomware/home 

Important Reminder: It is a criminal offense to pay money to people who are subject to financial sanctions. The list of who is subject to financial sanctions is constantly changing. 

The latest iteration can be found here: https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets 

A ransomware attack presents the most significant threat to your business by:

  • Disabling your access to systems, which could hinder machinery operation or impede progress through your business processes.
  • Blocking access to critical data concerning suppliers, shipments, customers, orders, or steps in your business workflow.

In the event of a business interruption, identifying your position in the supply chain and sustaining operations can be challenging. If the disruption continues, maintaining business continuity becomes critical. Once systems and data are restored, addressing backlogs and establishing future operational protocols are essential.

Ransomware ranks only behind receivership in terms of its capacity to incapacitate a business.

The NCSC is the UK National Cyber Security Centre. They provide cyber security guidance and support, helping to make the UK the safest place to live and work online. They have defined a Cyber Incident Response procedure and they have approved and accredited suppliers to provide this service.

https://www.ncsc.gov.uk/

As a recognised Assured Service Provider by the National Cyber Security Centre (NCSC), Zensec provide comprehensive cyber risk management services that are designed to Protect, Detect & Mitigate cyber security threats across the UK.

Report Fraud is the UK's national reporting centre for fraud and cybercrime. Whether you have been scammed, defrauded, or experienced cybercrime in England, Wales, or Northern Ireland, Report Fraud offers a central point of contact for information on fraud and financially motivated cybercrime.

https://www.reportfraud.police.uk/https://www.actionfraud.police.uk/

Yes, but only through a controlled, forensic process. Effective removal requires isolating systems, identifying the encryption parameters, removing all malicious software, and ensuring that no persistent access or credential abuse remains. In today’s evolving threat landscape, ransomware operations like those of termite are often sophisticated and stealthy, initial access may be established weeks before detection.

This is a tactic also seen in other ransomware groups, increasing the risk of reinfection if not properly handled. Relying solely on antivirus or backup restores is insufficient, as these may overlook hidden security tools, scripts, or backdoors left behind. Additionally, care must be taken to protect any sensitive data that may have been exfiltrated before or during the attack. delete windows shadow copies customer and employee data virtual private network establish initial access credential access valuable files other groups.

No, cyber attacks and ransomware attacks are not the same, but ransomware attacks are a specific type of cyber attack.

Cyber attacks encompass a wide range of malicious activities targeting digital systems, including phishing, data theft, denial-of-service (DoS), and defense invasion, where attackers bypass security measures to gain unauthorised access. These attacks often involve tactics like command and control systems, which allow hackers to remotely control infected machines.

Ransomware attacks, on the other hand, are a form of cyber attack in which attackers use malware to encrypt a victim’s data or lock them out of their systems. Victims are then pressured to make ransom payments to regain access to their files or systems. Ransomware attacks often involve a command and control infrastructure as well, allowing attackers to deploy and manage the ransomware remotely.

sierra-chatbot-shape2

Dealing with a ransomware attack?
Our ransomware recovery service can help

Our expert team works quickly to contain the breach, recover your data, and restore your systems to full operation. We’ll guide you through every step of the recovery process and help strengthen your defences to prevent future attacks. Regain control with Zensec - trusted support when it matters most.

Contact us