The LockBit ransomware group claimed responsibility for the attack on the Royal Mail, but the time it set for ransom has passed with no data made public.
LockBit ransomware has also confirmed that it was clearly responsible for the cyberattack on Royal Mail’s systems on January 10, which stopped the UK postal service from accepting mail for international distribution. The effects of this attack are still being felt a month later.
Following the leak of copies of the ransom letter on January 13, allegations about LockBit’s involvement in the Royal Mail cyberattack first appeared. The group initially tried to deny responsibility for the attack, claiming that a disgruntled developer had leaked its source code. Later, they claimed that an associate had carried out the breach without the operator’s permission.
The printed ransom messages from the Royal Mail had links to LockBit’s Tor negotiation and data leak sites rather than ones run by another threat actor, but LockBit Support was unable to explain why.
On February 7, LockBit ransomware group warned that if Royal Mail failed to meet ransom demands, it would reveal data taken from the Royal Mail on February 9. However, as of Friday morning, February 10, various reports on Twitter suggest that the papers are not available, despite LockBit’s claim that they had been released.
In their ransom demand, LockBit demanded an amount equal to $80 million, or 0.5% of Royal Mail’s annual revenue.
According to LockBit’s screenshots, the unnamed negotiator for Royal Mail said:
Under no circumstances will we pay you the absurd amount of money you have demanded. We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board.
On February 1, LockBit reportedly offered a smaller ransom, reducing the amount to $70 million.
Royal Mail said on Twitter that online postal purchases for International Standard and International Economy had resumed.
Using other systems that weren’t affected by the ransomware attack, the Royal Mail said in a statement that it is successfully delivering packages and mail.
According to the spokesperson at Royal Mail:
All of the evidence suggests that this data contains no financial information or other sensitive customer information. We acted quickly to isolate and contain the issue and we have no evidence of any impact on the rest of the Royal Mail network.
The event was also reported to UK security services and was investigated by the National Crime Agency and the UK National Cyber Security Centre (NCSC).
Organisations have been advised against paying ransom requests by the UK’s National Cyber Security Centre. This is because paying the ransom doesn’t minimize the risk to people, isn’t required by data protection laws, and isn’t seen as a reasonable step to protect data. The FBI also advises victims to take necessary precautions such as backing up their data instead of dealing with ransom demands.
Additionally, the postal behemoth is still experiencing service interruptions because of the cyberattack more than a month later. While progress has been made, the company claimed in an update on February 15 (updating daily) that online shopping for overseas services has been resumed for all locations. However, they still cannot process freshly delivered Royal Mail packages and bulky letters that came from Post Office locations and needed a claim form.
Successful ransomware attacks are most-often preceded by phishing emails. Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.
