Termite

Termite is a ransomware/extortion group active by at least 2025 and tracked in reporting as a small, newer crew within a fragmented ransomware ecosystem. The group has been associated with double-extortion style activity, including claiming data theft, operating a dark web leak site, and in some cases publishing large multi-part data dumps. Broadcom stated that Termite ransomware encrypts victim files and directs victims to a dark web site to communicate about ransom payment. SentinelLABS cited Termite as one of several small, short-lived ransomware crews proliferating alongside increased brand mimicry and false claims in the ecosystem. Victim reporting in the provided content links Termite to incidents affecting multiple sectors and countries. Reported victims include Genea, an Australian IVF and fertility provider; Insight Hospital and Medical Center in Chicago; MedHelp Clinics in the United States; and News-Press & Gazette Company (NPG), a Missouri-based media firm. Broadcom said Termite had targeted a wide range of countries and sectors, including victims in France, Canada, Germany, Oman, and the United States. Cybernews stated its Ransomlooker tool showed at least 23 organizations impacted by the Termite gang during the past year, including Blue Yonder. In the Genea incident, reporting attributed the attack to Termite and said the group claimed to have hundreds of gigabytes of stolen files. Court materials cited in reporting stated the attackers were present in Genea’s network for more than two weeks beginning on 31 January and exfiltrated 940.7 GB of data on 14 February. Genea said data published externally may have included contact details, Medicare numbers, medical histories, test results, medications, diagnoses, treatments, doctors’ notes, emergency contacts, and private health insurance details. Separate reporting said Termite posted proof of claims, screenshots of patient files, a file tree, and a downloadable archive of approximately 700 GB of Genea data. In the Insight Hospital and Medical Center case, Termite added the organization to its leak site on 24 February and claimed to have exfiltrated 360 GB of confidential data, approximately 900,000 files. Reporting states the group leaked the data in multiple parts, including .jpeg and .dcm medical-image files. In another reported healthcare incident, Termite claimed to have accessed and removed around 25 GB of internal data from MedHelp Clinics. In the NPG incident, Termite claimed theft of financial and tax data, revenue reports, Excel budget files, employment details, passport photos, and other corporate files. Cybernews researchers who reviewed a sample said it contained both personal and corporate information, including the passport of NPG’s owner and employees’ contact details and home addresses. The content also notes that the Cleo managed file transfer attacks were initially suspected to be the work of a new ransomware gang named Termite, but later reporting said Clop confirmed that operation was its own project. Based on the provided content, Termite should therefore not be confidently attributed to the Cleo exploitation campaign. Known alias in the provided content: termite.