Rido - stock.adobe.com

LockBit cartel suspected of Royal Mail cyber attack

The still-developing cyber incident at Royal Mail may be the work of the infamous LockBit ransomware operation

The infamous LockBit ransomware cartel is suspected of being behind an ongoing cyber security incident at the UK’s Royal Mail, which has crippled IT systems and left the postal service unable to dispatch letters and parcels overseas.

Leaked copies of the ransomware note appear to identify the prolific Russia-based gang as the culprits. As is standard practice, the perpetrators claimed to have both encrypted and stolen Royal Mail’s data. The value of the ransom being demanded was not disclosed, although it is likely to be at the high end of the scale.

Although the ransom note is understood to include genuine links to dark web leak sites and negotiation tools used by LockBit, security news website Bleeping Computer earlier reported there is a chance that the threat actor behind the attack is using a leaked version of LockBit’s ransomware builder and may not be directly associated with the gang.

Royal Mail has neither confirmed nor denied the veracity of the claims. In a service update earlier this morning (Friday 13 January), the organisation said: “Royal Mail is experiencing severe service disruption to our international export services following a cyber incident.

“We are temporarily unable to despatch items to overseas destinations. We strongly recommend that you temporarily hold any export mail items while we work to resolve the issue. Items that have already been despatched may be subject to delays. We would like to sincerely apologise to impacted customers for any disruption this incident is causing.

“Our import operations continue to perform a full service, with some minor delays. Parcelforce Worldwide export services are still operating to all international destinations though customers should expect delays of one to two days.

“Our teams are working around the clock to resolve this disruption and we will update you as soon as we have more information. We immediately launched an investigation into the incident and we are working with external experts. We have reported the incident to our regulators and the relevant security authorities.”

Multiple victims

LockBit has claimed multiple victims in the UK in the past six months – including NHS software supplier Advanced – and is one of the most highly active ransomware cartels on the current scene.

It is also considered to be one of the more sophisticated operations in play, and its locker malware is regularly updated and upgraded to make it a more dangerous threat, and to throw investigators, researchers and journalists off the gang’s scent.

One of its most recent high-profile attacks took place on Christmas Day 2022, against the Port of Lisbon Administration (APL) in Portugal.

Read more about LockBit ransomware

Tim Mitchell, Secureworks Counter Threat Unit senior security researcher, said: “If this was the work of LockBit, the scale of the impact of the incident will very much depend on the particular affiliate involved.

“The core individuals behind LockBit ransomware run arguably the most prolific ransomware-as-a-service scheme, so it’s no wonder it accounted for nearly a third of named victims across all ransomware leak sites in 2022,” he said.

“LockBit has been used to perform everything from broad network-wide encryptions that have crippled organisations through to deploying ransomware to only a few hosts with limited impact on the victim's operations.

“Until we know the details of this incident, we won’t know for sure how impactful this will be long term on Royal Mail,” added Mitchell.

Orange Cyberdefense head of UK strategy, Dominic Trott, said as a result of a previous customer data leak in November 2022 that forced Royal Mail to temporarily suspend its Click and Drop online service, the organisation may have been better able to respond to the current attack.

“This earlier breach means it has had recent ‘practice’ of the UK Information Commissioner’s Office (ICO) mandatory breach notification process. Nonetheless, Royal Mail will have been well prepared for this type of incident, and it has clearly made the necessary authorities aware in a timely manner to limit the potential damage,” said Trott.

“Specifically, it has already publicised that it is working with the UK’s National Cyber Security Centre and the ICO to investigate the incident. But further, as a component of the UK’s critical national infrastructure as determined within UK law by the Network and Information Systems Directive, it must adhere to higher standards of operational resilience – including from a cyber resilience perspective – than most organisations.”

Read more on Data breach incident management and recovery

Data Center
Data Management