Blue Yonder SaaS giant breached by Termite ransomware gang

​The Termite ransomware gang has officially claimed responsibility for the November breach of software as a service (SaaS) provider Blue Yonder.

Blue Yonder (formerly JDA Software and operating as a Panasonic subsidiary) is an Arizona-based worldwide supply chain software provider for retailers, manufacturers, and logistics providers.

Its list of over 3,000 customers includes other high-profile companies like Microsoft, Renault, Bayer, Tesco, Lenovo, DHL, 3M, Ace Hardware, Procter & Gamble, Carlsberg, Dole, Wallgreens, Western Digital, and 7-Eleven.

BleepingComputer had previously heard that Termite was behind the attack on Blue Yonder, but this could not be independently confirmed.

This incident has led to a wave of outages affecting customers using the company's software, including the U.S. coffeehouse chain Starbucks and the Morrisons and Sainsbury's supermarket chains in the United Kingdom, due to disruptions affecting Blue Yonder's managed services hosted environment.

Starbucks said it was forced to pay baristas manually after the ransomware attack affected the software tracking work schedules across over 10,000 stores. French pen manufacturer BIC was also hit by shipping delays, while Morrisons revealed that the incident impacted its warehouse management systems for fresh foods.

According to an update added over the weekend to the company's official security incident tracking page, Blue Yonder has since brought back online some of the impacted customers and is now working with external cybersecurity experts to help others return to normal business operations.

A week earlier, Blue Yonder said that its team is "working around the clock to respond to this incident and continues to make progress."

A Blue Yonder spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

While the company has yet to reveal how many of its customers were impacted and if the attackers had stolen any data from its compromised systems, the Termite ransomware gang has now claimed the attack today, saying they stole 680GB of files.

​"Our team got 680gb of data such as DB dumps Email lists for future attacks (over 16000) Documents (over 200000) Reports Insurance documents," the threat actors claim on their leak site.

Termite is a newly emerged ransomware operation that surfaced in mid-October, according to threat intelligence company Cyjax. It has since listed seven victims on its dark web portal from various industry sectors and from all over the world, including Blue Yonder.

Like other ransomware gangs, this cybercrime group is involved in data theft, extortion, and encryption attacks.

According to cybersecurity firm Trend Micro, they're using a version of the Babuk encryptor leaked in September 2021, which will drop a How To Restore Your Files.txt ransom note on the victims' encrypted systems.

Trend Micro also said that Termite's ransomware encryptor is still likely a work in progress, given that it will terminate prematurely because of a code execution flaw.