Royal Mail promises ‘workarounds’ to restore services after ransomware attack

Royal Mail CEO Simon Thompson has apologised to consumer and business customers impacted by a likely LockBit ransomware attack on its systems, which has left the postal service unable to dispatch letters and parcels to overseas destinations, and promised a “workaround” will be in place in the near future

Giving evidence before the Department for Business, Energy and Industrial Strategy (BEIS) Committee this morning on the Royal Mail’s ongoing dispute with the Communications Workers Union (CWU) – in which one MP described his leadership as “toxic and confrontational” – Thompson declined to provide any further details of the incident, which began on Tuesday 10 January and became public knowledge on Wednesday 11 January.

“I have been told that to discuss any fine details or any additional details on this particular topic at this point in time would actually be detrimental,” he said.

“The situation that we have is that for export parcels and letters through our postal services, we are no longer able to provide that service. But our domestic reality is that nothing has changed, all of those services are working well, and from an import perspective as well everything is working.”

“What we said to our customers within a day of realising what had gone on with this cyber incident … is not to send us any letters and parcels at this point in time for postal export, and that situation and advice remains the same today.”

Taking questions from Ruth Edwards, Conservative MP for Rushcliffe, Thompson said that the incident was ongoing.

“My sense is – and the team has been working on workarounds so that we can get the service up and running again – that I think that in the very near future we’ll have some more news to share…We believe that in the very, very near future we’ll be able to give some more information to customers around the workarounds that we’ve implemented.”

Thompson added that based on the current state of the investigation, there was no evidence that any customer data had been compromised, although the organisation is prepared for that situation to change, and has already notified the incident to the Information Commissioner's Office (ICO) as a precaution.

But with vital systems still inaccessible a week after the attack began, there are growing concerns, particularly among small and micro-business owners, that their inability to dispatch items to overseas customers is causing them financial and reputational damage that may soon become irreparable.

Speaking to the BBC, multiple business owners said that they were disappointed with a lack of communication from Royal Mail, and that while their customers had been understanding, they were starting to run out of patience.

The trouble caused by the cessation of Royal Mail’s export services is being compounded by existing backlogs and delays that have arisen from strike action.

Meanwhile, the LockBit ransomware cartel alleged to be behind the attack has continued to deny full responsibility, maintaining at first that the attack was the result of a leak of its source code, and later that an affiliate had carried out the attack without its knowledge, according to statements from its alleged support representative, shared and translated via Twitter.

The gang’s representative supposedly said that their work was very stressful and they did not have time to keep tabs on everybody.

All statements released by ransomware operators should always be taken with a large pinch of salt, but given Royal Mail’s prominence as an important element of the UK’s critical national infrastructure (CNI), LockBit’s leadership may sense a need to step back from the attack, given the potential scale of the response from the security services, specifically GCHQ and the National Cyber Security Centre (NCSC), which is already on the case.

“If the attack against Royal Mail was in fact carried out by a LockBit affiliate, the RaaS [ransomware as a service] could be trying to distance itself from what it regards as a high-profile victim, which has been the downfall of ransomware gangs in the past,” said Louise Ferrett, threat intelligence analyst at Searchlight Cyber.

Previous high-profile ransomware attacks against CNI operators have spelled the end for other ransomware gangs, famously the DarkSide cartel, which shut up shop after the US authorities seized its infrastructure and recovered a substantial part of the payment made by Colonial Pipeline in 2021.

Note there is some unproven evidence to suggest a direct line between DarkSide and LockBit through the now also-defunct BlackMatter group, which arose in the summer of 2021. The two ransomware executables seem to share multiple code similarities, according to analysis by Sophos.