LockBit cartel finally claims Royal Mail ransomware attack

The LockBit ransomware cartel has confirmed it was indeed behind the 10 January cyber attack on the systems of Royal Mail, which left the UK’s postal service unable to accept mail for international despatch, the ramifications of which are still being felt a month later.

The involvement of LockBit in the Royal Mail cyber attack was first posited on 13 January after copies of the ransom note were leaked. However, the group initially tried to disclaim responsibility, stating that the attack was the result of a leak of its source code by a disgruntled developer, and later that an affiliate had carried out the intrusion without the operator’s knowledge.

Although Royal Mail is still to confirm it is dealing with a ransomware attack, screenshots of LockBit’s dark web site seen by Computer Weekly confirm that the group is responsible for the postal service’s predicament.

The gang is threatening to leak unspecified data purloined from Royal Mail’s systems on 9 February if not paid off.

A Royal Mail spokesperson said: “Royal Mail is aware that an unauthorised third party has said it plans to publish some data allegedly obtained from our network. The cyber incident impacted a system concerned with shipping mail overseas. At this stage of the investigation, we believe that the vast majority of this data is made up of technical program files and administrative business data. All of the evidence suggests that this data contains no financial information or other sensitive customer information.

“We acted quickly to isolate and contain the issue and we have no evidence of any impact on the rest of the Royal Mail network. We immediately notified the Information Commissioner’s Office [ICO] as a precaution when we became aware of the cyber incident, and we continue to work closely with law enforcement agencies. Royal Mail sincerely apologises for any concern this development may cause.”

Ross Brewer, chief revenue officer at Simspace, a specialist in cyber ranges, training and “live fire” security exercises, commented: “This continues to highlight the need for proactive vigilance and continuous testing to prevent these situations. Given that Royal Mail is considered critical national infrastructure, we can expect to see extortionist ransom demands.

“A typical ransomware or advanced persistent threat follows a structured pattern. They like to do it quite ‘low and slow’ because they don’t want to be identified in order to get to their target. So typically, they’ll do it over a period of days, weeks or months, and this is why it’s important for organisations to train their staff so they can recognise the tell-tale signs of these intruders in the network and stop them before it becomes a critical problem,” he said.

The highly active LockBit organisation is rapidly becoming a thorn in the side of UK organisations on the strength of multiple attacks in recent weeks.

At the beginning of February, the gang hit the systems of Ion Group, a supplier of software to the financial services industry, in an incident that crippled the ability of many City of London traders to do their jobs effectively.

LockBit had threatened to publish Ion’s data on Saturday 4 February, but on Friday, it was delisted from the gang’s dark web leak site, and a LockBit spokesperson later confirmed to Reuters that a ransom had been paid by a “very rich unknown philanthropist”.

Whether or not this is true is unconfirmed, and Ion has steadfastly refused to comment further, but if a ransom was paid, this flies in the face of accepted cyber security best practice.

Brewer said: “71% of UK organisations faced ransomware last year – 13% of them unfortunately paid the ransom. However, this is inconsequential because the hackers have a digital copy of your data and are still able to sell it to another group on the dark web as they please. This is why many law enforcement organisations recommend against paying ransoms.”