Written by: Ferhat Dikbiyik, Chief Research & Intelligence Officer at Black Kite

Has your vacation ever been interrupted by a ransomware incident? Mine was.

It was Thanksgiving week, and I had promised myself a break—a chance to recharge, disconnect, and enjoy time with my family in Florida. For once, I left my laptop behind. That plan didn’t last long. One morning, while watching the sunrise, messages started pouring in: Blue Yonder, a key supply chain provider for major retailers like Starbucks and Sainsbury’s, had been hit by a ransomware attack.

Black Kite customers can see where Blue Yonder affects its nth-party vendors in our Supply Chain module.

As a TPRM professional, I knew what this meant—ripples of disruption across countless interconnected businesses. Even on vacation, there’s no “off button” when it comes to managing third-party risks. I immediately reached out to the Black Kite Research and Intelligence Team (BRITE) that I lead. From my phone, I watched our team spring into action. Within hours, we had developed and delivered actionable insights, helping our clients assess their exposure and understand the downstream risks.

This incident drove home a critical truth:

In today’s hyperconnected world, supply chain risk isn’t something you can leave behind—even on vacation. It’s about more managing vendors; it’s about having the tools and intelligence to act quickly when cascading risks emerge.

In this blog, we’ll dive into the Blue Yonder ransomware attack, the rise of groups like Termite, and why new ransomware groups keep appearing. More importantly, we’ll explore how you can stay one step ahead in managing third-party and supply chain risks—so you don’t lose sleep, or your vacation, over the next big breach.

What Happened: The Blue Yonder Ransomware Incident

It started with an attack highlighting the growing risks in supply chain dependencies. On November 21, 2024, Blue Yonder—a key supply chain provider for global brands like Starbucks, Sainsbury’s, and Morrisons—fell victim to a ransomware attack. The impact rippled quickly, disrupting services many businesses relied on to manage employee schedules, warehouse operations, and supply chain logistics. For some, the fallout meant immediate operational delays; for others, it meant grappling with manual workarounds as they scrambled to keep shelves stocked and orders moving.

The group behind the attack, known as Termite, claimed responsibility a few days later, boasting about exfiltrating 680GB of data. Their dark web blog would later confirm the data breach, listing everything from internal emails to sensitive insurance documents. For Blue Yonder’s clients, this wasn’t just a vendor issue—it was a business continuity crisis. 

Meanwhile, our team at Black Kite moved quickly, leveraging our intelligence capabilities to identify impacted companies and guide them through their response.

Here’s how the incident unfolded:

  • November 21, 2024: Blue Yonder detected a ransomware attack targeting its managed services, disrupting key supply chain operations.
  • November 25, 2024: Media reports surfaced, revealing the widespread impact on businesses dependent on Blue Yonder.
  • November 27, 2024: Black Kite issued a FocusTag, providing customers with actionable intelligence to assess risks and engage with their vendors.
  • December 6, 2024: Termite published stolen data on their leak site, confirming the scale of the breach.
  • December 10, 2024: A vulnerability in Cleo file transfer software (CVE-2024-50623), linked to the attack, was disclosed. Black Kite issued another FocusTag to address this emerging risk.

The incident wasn’t just about Blue Yonder. It exposed how a single breach in the supply chain can snowball, impacting industries, businesses, and consumers alike. For those of us in the third-party risk management (TPRM) community, it’s a stark reminder:

Understanding your vendor relationships isn’t enough. You need to understand how their vulnerabilities can become your vulnerabilities.

This brings us to the bigger question: what does this mean for the TPRM and supply chain risk management community?

Why This Matters for the TPRM Community

The Blue Yonder ransomware attack exposed a crucial challenge for the TPRM community: understanding not just your vendors, but your vendors’ vendors. The ripple effects of this incident weren’t limited to companies directly relying on Blue Yonder’s supply chain solutions. Any organization whose third parties depended on Blue Yonder faced disruptions, even if they didn’t realize the connection beforehand.

This interconnected nature of modern supply chains creates risks that are often hidden until a breach occurs. Many organizations struggle with mapping these dependencies, leaving critical gaps in their risk management strategies. The Blue Yonder incident illustrates why knowing who is at risk is as important as knowing how the risk manifests.

Black Kite Supply Chain Module showing the concentration risk for Blue Yonder for a Black Kite customer.

For the TPRM community, this event highlights a few key lessons:

  1. Supply Chain Depth Matters: Risk doesn’t stop at your direct vendors. Businesses need to look deeper into their supply chains to identify dependencies and assess potential exposure.
  2. Hidden Vulnerabilities Multiply Risks: A vendor may seem low-risk on the surface, but its reliance on another compromised provider can bring unexpected consequences. The cascading nature of the Blue Yonder attack demonstrates how quickly these vulnerabilities can escalate.
  3. Targeting the Supply Chain: Ransomware groups are increasingly focused on supply chains because of the widespread impact they can achieve. The more connected an ecosystem is, the greater the potential for disruption.

Understanding these layers of risk is no longer optional. It’s essential for protecting operations and mitigating the fallout of third-party incidents. While assessing direct vendors is critical, a comprehensive approach to supply chain risk must go further, examining the relationships and dependencies that sit just below the surface.

The question for the TPRM community isn’t whether your organization is prepared to respond—it’s whether you know where to look before the next attack lands.

Understanding the risk is only part of the equation. To truly prepare, we need to understand the attackers themselves—who they are, how they operate, and why new ransomware groups seem to emerge every other week.

The Rise of Termite: A New Player in the Ransomware Ecosystem

Who is the Termite Ransomware Group?

Termite is a relatively new player in the ransomware ecosystem, but their operations suggest a group with significant capability and intent. They’ve already targeted industries spanning logistics, manufacturing, retail, and public services, with victims reported across North America, Europe, and Asia. Their choice of targets reflects a deliberate focus on high-impact sectors, particularly those integral to supply chains.

Termite Ransomware Group’s dark web main page, showing the alleged victims.

Interestingly, Termite has publicly announced only seven victims on their dark web leak site. However, the true number of organizations affected remains unknown. Ransomware groups often withhold some victims from public disclosure, either because negotiations are ongoing or because the victims have paid the ransom. This lack of transparency leaves a significant gap in understanding the full scale of Termite’s impact.

Termite Ransomware Group’s dark web Support Page.

What sets Termite apart is their use of ransomware closely resembling the Babuk family. Babuk, infamous for its efficient encryption and focus on industrial and supply chain sectors, had its source code leaked in mid-2021. Elements of Babuk’s methodology have since surfaced in various ransomware operations, and Termite appears to have adopted and refined these techniques.

By leveraging Babuk’s leaked code, Termite has likely reduced their development overhead, allowing them to scale their operations more efficiently while avoiding significant technical pitfalls.

How They Operate: Insights into Termite’s Tactics

While Termite’s full operational methods remain under investigation, certain tactics have been observed or suggested by researchers:

  • Critical Vulnerabilities:
    • Termite has exploited CVE-2024-50623, a vulnerability in Cleo Harmony, VLTrader, and LexiCom. This flaw allows remote code execution through unrestricted file uploads, enabling attackers to place malicious files in the autorun directory for automatic execution. This vulnerability has been observed in attacks targeting industries heavily reliant on file transfer systems.
  • Indicators of Compromise (IoCs):
    • IoCs associated with Termite have been published on platforms like VirusTotal, highlighting suspicious files and network activity. These include patterns of encoded malicious payloads and reconnaissance tools used for privilege escalation and lateral movement.
IoC details on VirusTotal for Termite Ransomware.

Additionally, researchers have speculated about inaccessible or outdated Fortinet VPN servers playing a role in Termite’s targeting, but this remains unverified and should be interpreted cautiously.

By focusing on unpatched vulnerabilities in critical systems, Termite has shown a strategic approach to targeting organizations with exploitable weaknesses, amplifying their impact across supply chains and interconnected networks.

Analyzing the Victims: Patterns Behind the Targets

When we examined the organizations impacted by Termite, a clear pattern emerged. These weren’t random attacks—they were calculated, deliberate strikes against companies with visible weaknesses. While we can’t confirm the exact vulnerabilities exploited, the signs of trouble were there well before the ransomware hit.

What did we find? Three factors stood out:

  1. Critical Vulnerabilities: ALL victims had critical vulnerabilities, including some listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. These are the kinds of vulnerabilities that make organizations stand out to attackers—visible, exploitable, and often overlooked.
  2. Leaked Credentials: In almost every case, we found fresh credentials—leaked within the last 90 days—circulating on dark web forums. Attackers don’t need advanced tools when they can simply log in with exposed passwords.
  3. Stealer Logs: Multiple victims were flagged in stealer logs, indicating malware infections that had already siphoned sensitive data like passwords, cookies, or session tokens. It’s like leaving the front door open in a neighborhood known for burglaries.

What this tells us is simple: these companies were sending the wrong signals to attackers. They didn’t just have vulnerabilities—they had vulnerabilities that attackers look for.

The Role of RSI: Turning Risk into Action

This is where the Ransomware Susceptibility Index (RSI) comes in. As one of the co-inventors of the methodology, I take great pride in how it helps organizations see what attackers see. RSI isn’t just a number—it’s a reflection of how attractive a company looks to a ransomware group.

RSI values of Termite Ransomware victims before they experienced the ransomware incident indicate they were “juicy targets.”

Ransomware, in general, is a rare event. Fewer than 10,000 companies worldwide have ever experienced a successful ransomware attack. That’s a tiny fraction when you consider the millions of businesses out there.

But here’s the catch: for certain companies, the odds are much higher. A high-impact company in a highly regulated industry located in a wealthy country and with visible weaknesses—what I like to call a “juicy target”—isn’t operating in the same reality as a well-fortified business. RSI captures this difference.

Power of RSI based on analysis over 4,700 ransomware victims and 250,000 non-victims.

When we talk to our customers, we emphasize that an RSI value of 0.4 is the critical threshold. Above that, the risk isn’t something you can ignore. It’s a warning sign, flashing like a beacon in the dark web where ransomware groups lurk looking for their next victim. In fact, nearly half of companies with an RSI above 0.8 become victims. In a world where ransomware is supposed to be rare, those numbers are staggering. They tell us that the risk isn’t random—it’s predictable. And the companies that don’t heed it? They’re the ones we often end up seeing in headlines.

This isn’t just a lesson for the companies impacted by Termite. It’s a lesson for anyone who thinks their risk ends at their firewalls. Understanding your vulnerabilities—and how they look to attackers—isn’t just smart; it’s necessary.

A Changing Ecosystem: The Proliferation of Ransomware Groups

One striking trend in the ransomware ecosystem is the rapid emergence of new groups. Every few weeks, a new group launches its dark web blog, often debuting with dozens of victims already listed. Termite is part of this wave.

This shift can be attributed to the collapse or rebranding of major groups like AlphV and LockBit. Some affiliates have pivoted to becoming operators themselves, while others may be remnants of older groups operating under new names. This churn creates instability in the ecosystem, but it also signals a growing sophistication among attackers. Groups like Termite are leveraging mature tactics—such as exploiting software vulnerabilities and maximizing supply chain impact—to establish themselves quickly.

Understanding this evolving ecosystem is critical for the TPRM community. It’s not just about tracking known ransomware groups—it’s about anticipating the next wave before it arrives.

How TPRM Professionals Should Respond

Events like the Blue Yonder ransomware attack highlight a key challenge in third-party risk management: the need for timely, actionable insights without overwhelming vendors. While asking questions is necessary, it’s equally important to recognize the burden vendors face when multiple clients demand answers during a crisis. A more proactive process using tools to identify potential risks and ransomware indicators and limit outreach to the most critical vendors help you to prioritize actions that will have the biggest impact.

Balancing the Need for Answers with Vendor Empathy

When incidents occur, vendors often receive identical questionnaires from several clients. This creates frustration, delays, and the potential for incomplete or rushed responses. To minimize this strain, TPRM professionals should focus on targeted, relevant questions and approach vendors with empathy. Acknowledging the challenges they face can lead to better collaboration and more accurate insights.

When reaching out to vendors, consider framing your questions with transparency and understanding:

“We understand you’re receiving inquiries from multiple clients during this challenging time. To help us assess any potential risks, could you share insights specific to your relationship with Blue Yonder?”

Key Questions to Ask

When reaching out to vendors, focus on gathering the most critical information to assess your exposure:

  1. Have you used Blue Yonder’s services recently or currently? If so, which ones?
  2. Have you experienced any disruptions related to Blue Yonder’s recent ransomware incident?
  3. Have you conducted a review of your systems for Indicators of Compromise (IoCs) linked to the Blue Yonder attack?
  4. What contingency measures are in place if Blue Yonder’s services are further disrupted?

Actions to Take When a Vendor Relies on Blue Yonder

If a vendor confirms reliance on Blue Yonder, consider the following steps:

  • Open Communication: Request regular updates about the vendor’s remediation efforts and the potential impact on your operations.
  • Collaborate on Mitigation: Work with the vendor to identify practical steps to reduce risks, such as reviewing affected systems or implementing additional controls.
  • Review Agreements: Examine contracts and SLAs to understand the vendor’s obligations during service disruptions and how they’re addressing them.
  • Encourage Contingency Planning: If not already in place, suggest backup plans or alternative solutions for services dependent on Blue Yonder.

Can We Be More Proactive?

Proactivity in TPRM is no longer a luxury; it’s a necessity. With tools like digital footprints, supply chain visibility maps, and third-party intelligence, TPRM professionals can identify potential risks before they become immediate threats.

For instance, instead of waiting for a vendor to disclose their relationship with Blue Yonder, professionals can use external intelligence to identify those connections proactively. By analyzing subdomains, IP address allocations, and other open-source data, you can create a clearer picture of your supply chain dependencies without relying solely on vendor responses.

Furthermore, proactive risk monitoring with methodologies like the Ransomware Susceptibility Index (RSI) can identify which vendors in your ecosystem are most at risk of ransomware attacks. This allows you to prioritize preemptive actions, such as targeted security reviews or recommending specific mitigations to vulnerable vendors.

In the end, visibility is key. You can’t secure what you can’t see, and understanding the web of relationships within your supply chain is essential for protecting your organization in a world where third-party incidents are becoming the norm.

Recognizing Questionnaire Fatigue

Proactive intelligence also reduces questionnaire fatigue on the vendor’s side. By knowing who is likely affected, you can limit outreach to only those vendors where risk is most apparent. This helps maintain trust and collaboration, ensuring that vendors don’t feel overwhelmed or undervalued.

The balance between asking questions and showing empathy is critical. Vendors are your partners in the supply chain, and their resilience is tied to yours. By taking a thoughtful, data-driven approach, TPRM professionals can build stronger relationships while protecting their organizations from cascading risks.

Operationalizing Intelligence: FocusTags for Blue Yonder and Cleo Vulnerability

Blue Yonder Client FocusTag™

When the Blue Yonder ransomware incident unfolded, the critical challenge for organizations was determining their exposure. Identifying whether vendors relied on Blue Yonder’s services—or were indirectly impacted—wasn’t always clear. To bridge this gap, we released the Blue Yonder Client FocusTag on November 27, just days after the incident entered the public domain.

Black Kite’s Blue Yonder Client FocusTag™ details.

How We Identified Blue Yonder Clients

To create the Blue Yonder FocusTag™, we relied on a comprehensive methodology rooted in publicly available information and open-source intelligence (OSINT). Our approach included:

  1. Blue Yonder’s Own Website and Customer Testimonials:
    • We reviewed case studies, customer testimonials, and success stories published by Blue Yonder to identify companies explicitly listed as clients. These firsthand sources provided strong indicators of relationships with Blue Yonder’s services.
  2. Cybersecurity News and Public Reports:
    • By analyzing industry-specific news and public reports about the Blue Yonder incident, we identified companies that were mentioned as impacted or associated with Blue Yonder’s services. Press releases and investigative journalism often provide critical clues in these scenarios.
  3. Job Postings:
    • Job descriptions and postings from various companies mentioning Blue Yonder skills or systems were another valuable source. These postings often indicate active or recent use of Blue Yonder’s solutions.

Transparency Through Confidence Levels

We understand that no intelligence process is perfect, which is why transparency is at the heart of every FocusTag™. For the Blue Yonder Client FocusTag™, we provided a confidence level based on the strength and reliability of our sources:

  • Very High confidence when derived from direct evidence such as Blue Yonder’s own materials or official testimonials.
  • High confidence for cases where vendor relationships were inferred from multiple direct and indirect sources like news or job postings in high volume.
  • Medium confidence for cases where vendor relationships were inferred from indirect sources like news or job postings.

This transparency allows our customers to prioritize their actions based on the reliability of the information. By knowing how we reached our conclusions, customers can better align their response strategies.

How Customers Operationalized the Blue Yonder FocusTag™

The FocusTag™ gave our customers a head start in managing risks related to the Blue Yonder incident. Here’s how they operationalized it:

  • Targeted Vendor Outreach: By filtering monitored vendors tagged with the Blue Yonder FocusTag™, customers could prioritize outreach to those potentially impacted. The confidence level provided clarity, helping them decide where to focus their efforts first.
  • Initiating Outreach Campaigns with Black Kite Bridge: Many customers used Black Kite Bridge™ to streamline their communication with vendors identified as susceptible to the Blue Yonder incident. Through Bridge, they launched outreach campaigns directly from the platform, requesting information or actions related to risk mitigation. This simplified the process, reducing time and effort while ensuring consistent communication.
  • SOC Integration: Security Operations Centers (SOCs) used the FocusTag™ to identify potential risks in their networks, cross-referencing IoCs linked to the Blue Yonder attack.
  • Investigating Concentration Risk with the Supply Chain Module: Customers leveraged the Black Kite Supply Chain module to assess their overall risk exposure, identifying the concentration of dependencies on Blue Yonder across their vendor ecosystem. This added layer of analysis helped them understand the broader implications of the incident and prepare for potential cascading effects.
  • Risk Mitigation: Armed with evidence from the tag, customers engaged vendors to verify their exposure and implement mitigation measures.

Customer Feedback on the Blue Yonder FocusTag™

The response from customers was overwhelmingly positive. Many noted that the FocusTag™ provided actionable insights faster than the disclosures from Blue Yonder or the impacted vendors. One customer shared how the tag helped their SOC team discover potential risks in their network, while others appreciated the speed and clarity of the intelligence, allowing them to act with precision during a chaotic event.

The addition of tools like Black Kite BridgeTM and the Supply Chain module further enhanced their ability to respond effectively. Bridge streamlined outreach, allowing customers to communicate with vendors quickly and consistently. The Supply Chain module provided critical insights into systemic risks, helping customers not just react but plan for similar incidents in the future.

The feedback reinforced the importance of timely, precise intelligence in third-party risk management, especially during fast-moving incidents like this one.

Cleo File Transfer FocusTag™

Another critical risk emerged after the Blue Yonder incident: the vulnerability in Cleo Harmony, VLTrader, and LexiCom (CVE-2024-50623). Cleo’s prominence in supply chain operations made this flaw a significant threat. Researchers have also suggested that Termite might be actively exploiting this vulnerability, further elevating its risk profile. To address it, we released the Cleo File Transfer FocusTag™ on December 10, providing actionable intelligence to our customers.

Black Kite’s CLEO File Transfer FocusTag™ details.

Identifying Risk from the Cleo Vulnerability

We used open-source intelligence (OSINT) and digital footprint analysis to pinpoint companies potentially exposed to this vulnerability. By analyzing public-facing IT asset details, we identified over 2,000 assets running vulnerable versions of Cleo products. This level of specificity—down to the exact IT asset and version—elevated the confidence level of this FocusTag to Very High.

The intelligence drew parallels to the infamous MOVEit vulnerability exploited by the Cl0p ransomware group in 2023. Like MOVEit, Cleo’s vulnerability allowed unauthorized file uploads and remote code execution, making it an attractive target for sophisticated threat actors.

How Customers Use the Cleo File Transfer FocusTag™

The Cleo FocusTag™ equipped our customers with actionable intelligence, eliminating the need for traditional vendor questionnaires. Instead of asking vendors if they used Cleo products, customers could share detailed risk intelligence, including:

  • The specific IT assets and versions running Cleo software.
  • Recommended actions for immediate remediation, such as patching to the latest version or disabling autorun functionality.

This intelligence was appreciated not only by customers but also by their vendors, who now had a clear understanding of the risk and steps to address it.

Tracking Remediations with Black Kite BridgeTM

Black Kite Bridge™ further streamlined the remediation process. Customers used Bridge™ to:

  • Share Intelligence: Instead of sending questionnaires, customers shared detailed FocusTag™ intelligence with vendors, saving time and reducing vendor fatigue.
  • Monitor Progress: Bridge allowed customers to track remediation efforts, such as patching and configuration changes, without repeated follow-ups.

By removing the guesswork from vendor communications, Black Kite Bridge™ ensures a more efficient and collaborative approach to managing risks.

Behind the Scenes: Making Critical Intelligence Possible

As I reflect on the Blue Yonder incident and the subsequent Cleo vulnerability, I’m reminded of the incredible teamwork and dedication that went into delivering timely, actionable intelligence to our customers. This level of service—anticipating risks, providing precise insights, and enabling proactive measures—doesn’t happen by chance. It’s the result of a collective effort across multiple teams.

The Black Kite Research and Intelligence Team (BRITE) works tirelessly to analyze data, identify patterns, and craft FocusTags that offer clarity during uncertainty. Their expertise turns chaos into actionable insights.

But BRITE isn’t alone in this effort. Our Customer Success and Customer Support teams ensure that every customer has the guidance they need to operationalize this intelligence. Whether through Black Kite Bridge, the Supply Chain module, or one-on-one support, they help customers turn risk awareness into effective action.

The Black Kite Product and Development teams deserve equal credit. Their work makes tools like FocusTags, Bridge, and our digital footprint capabilities possible, allowing us to deliver intelligence with precision and confidence.

These incidents are a reminder of the complexity and interconnectedness of today’s supply chains. But they’re also a testament to what’s possible when we combine cutting-edge technology with human expertise. As ransomware groups evolve, so must we. And thanks to the efforts of everyone involved, our customers are better equipped to navigate these challenges and protect their businesses.

At Black Kite, we don’t just provide intelligence—we empower action. And in moments like these, I couldn’t be prouder of the team that makes it all possible.

References

https://blueyonder.com/customer-update

https://www.bleepingcomputer.com/news/security/blue-yonder-ransomware-attack-disrupts-grocery-store-supply-chain

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

https://cyble.com/blog/technical-look-at-termite-ransomware-blue-yonder

https://www.broadcom.com/support/security-center/protection-bulletin/termite-ransomware

https://therecord.media/blue-yonder-cyberattack-customer-systems-returning

https://twitter.com/valerymarchive/status/1858508329321931132?s=46&t=u19CbogN0TP7iqFc4MlyEQ

https://www.virustotal.com/gui/file/f0ec54b9dc2e64c214e92b521933cee172283ff5c942cf84fae4ec5b03abab55

Check out our interactive ebook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events