Blue Yonder says some customers restored as ransomware gang boasts of attack

Avatar

Panasonic-owned software giant Blue Yonder said several of its customers’ systems are back up and running, as the gang allegedly behind the incident came forward on Friday to boast about troves of stolen data.

A Blue Yonder spokesperson declined to speak about the claims made by the Termite ransomware gang or whether a ransom had been issued but said the company is “making good progress” in recovering from the cyberattack that was initially announced ahead of the Thanksgiving holiday on November 21.

“Several of our impacted customers have been brought back online, and we are actively working directly with others to return them to normal business operations,” the spokesperson said.

“Blue Yonder has been working diligently together with external cybersecurity firms and hardened our defensive and forensic protocols.”

The company — which has been at the center of supply chain and operational issues for supermarkets, manufacturers and even companies like Starbucks — published a similar statement last weekend. 

On Friday, the Termite gang claimed it stole 680 GB of data that includes emails, insurance documents, company data and more. 

Cybersecurity expert Valéry Rieß-Marchive noted that the gang has been active since April and previously took credit for an attack on the government of French island nation Réunion. Termite has listed several victims across the world, many of which have not confirmed whether they have been attacked.

Some ransomware researchers have tied the code used by the gang to the Babuk ransomware family. Last week cybersecurity firm Trend Micro said there are still errors in the malware that the group is working out.

At least one security firm said Blue Yonder had been attacked by another ransomware gang in 2021. 

The company was acquired by Panasonic in 2021 for about $8.5 billion and provides systems for fulfillment, delivery and returns for more than 3,000 major companies across 76 countries.

IndustryCybercrimeNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Russian state hackers abuse Cloudflare services to spy on Ukrainian targets

Next Post

Another teenage hacker charged as feds continue Scattered Spider crackdown

Related Posts

Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack

Cybersecurity researchers have discovered three malicious Go modules that include obfuscated code to fetch next-stage payloads that can irrevocably overwrite a Linux system's primary disk and render it unbootable. The names of the packages are listed below - github[.]com/truthfulpharm/prototransform github[.]com/blankloggia/go-mcp github[.]com/steelpoor/tlsproxy "Despite appearing legitimate,
Avatar
Read More

⚡ Weekly Recap: Airline Hacks, Citrix 0-Day, Outlook Malware, Banking Trojans and more

Ever wonder what happens when attackers don’t break the rules—they just follow them better than we do? When systems work exactly as they’re built to, but that “by design” behavior quietly opens the door to risk? This week brings stories that make you stop and rethink what’s truly under control. It’s not always about a broken firewall or missed patch—it’s about the small choices, default settings
Avatar
Read More

SysAid Patches 4 Critical Flaws Enabling Pre-Auth RCE in On-Premise Version

Cybersecurity researchers have disclosed multiple security flaw in the on-premise version of SysAid IT support software that could be exploited to achieve pre-authenticated remote code execution with elevated privileges. The vulnerabilities, tracked as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, have all been described as XML External Entity (XXE) injections, which occur when an attacker is
Avatar
Read More