The LockBit ransomware gang has leaked a tranche of data exfiltrated from Royal Mail’s IT systems during its January 2022 cyber attack, and set a fresh ransom demand of £33m as it renews its efforts to force the postal service to cough up.
The prolific Russian-speaking ransomware operation had previously set a £66m ransom demand – which Royal Mail rejected as an “absurd” amount of money – before dropping it to approximately £47m.
It cut off negotiations with the postal service on or around 9 February but, despite its initial threats, did not release any of the data it stole until 23 February, when a 44GB dump was leaked via its dark web site.
According to preliminary analysis, the contents of the files relate to various parts of Royal Mail’s business, and include technical information, contracts with third-party suppliers, human resource and staff disciplinary records, details of salaries and overtime payments, and even one staff member’s Covid-19 vaccination records.
A Royal Mail spokesperson said: “Royal Mail is aware that an unauthorised third party has published some data allegedly obtained from our network. The cyber incident impacted a system concerned with shipping mail overseas.
“At this stage of the investigation, we believe that the vast majority of this data is made up of technical program files and administrative business data. All of the evidence suggests that this data contains no financial information or other sensitive customer information. We continue to work closely with law enforcement agencies,” they said.
The impact of the January attack on Royal Mail’s customers has now largely passed, with the last remaining international services through Post Office branches restored earlier this week.
At the peak of disruption, the organisation was entirely unable to process or dispatch any letters or parcels to destinations outside the UK, leaving many small business owners who rely on its services to ship goods to customers overseas in an extremely difficult position.
At the time of writing, Royal Mail said it was currently processing “close to normal” daily volumes of mail, with some residual delays, and while things are returning to normal, it is possible that customers may still encounter some issues when sending letters and parcels abroad over the coming days and weeks.
The Post Office, meanwhile, has said it will increase remuneration for postmasters for a time to help them recover some of the business they lost to the service disruption.
Tim Mitchell, security researcher and LockBit thematic lead at Secureworks, commented: “The majority of attacks on organisations by gangs like LockBit are opportunistic, exploiting a vulnerability or stolen credentials and grabbing whatever data they can regardless of what it is. But it’s important to remember that even if the data doesn’t contain PII [personally identifiable information] or what Royal Mail would consider sensitive, it could still be valuable to threat actors.
“Royal Mail might not deem the data that was stolen, and has now been published, as sensitive, but that didn’t stop its international operations being significantly impacted for six weeks. Regardless of the financial ransom demand, the operational pain that LockBit has caused the business is proof of the damage ransomware can inflict on an organisation,” said Mitchell.
Read more about the attack on Royal Mail
- 11 January: UK postal service Royal Mail is asking customers not to send any overseas letters or parcels while it deals with the impact of an ongoing cyber attack.
- 13 January: The still-developing cyber incident at Royal Mail may be the work of the infamous LockBit ransomware operation.
- 17 January: Royal Mail CEO Simon Thompson apologises to customers whose businesses are being disrupted by a ransomware attack and promises a “workaround” will be in place in the near future.
- 19 January: Royal Mail has resumed limited international services after putting in place operational workarounds to bypass the impact of a ransomware attack.
- 23 January: Royal Mail asks customers to hold back from sending post overseas as some services get back on track, while a report warns that disruptive attacks on critical infrastructure are set to become more common.
- 26 January: Royal Mail has successfully stood up its International Tracked and Signed, and International Signed, services as it continues to recover from a ransomware attack.
- 31 January: Royal Mail is making further progress in recovering IT systems hit by a ransomware attack, and has re-enabled another tranche of international export services.
- 6 February: Royal Mail has restored almost all of its international services to some extent, but remains unable to accept parcels bought over the counter in a Post Office branch.
- 7 February: The LockBit ransomware gang claims it has stolen sensitive data from Royal Mail and will leak it later this week if its demands go unmet.
- 15 February: Leaked chat logs reveal Royal Mail has supposedly refused to pay a £66m ransom demand from the LockBit ransomware gang.
- 21 February: Royal Mail resumes the last of its international services as it recovers from a ransomware attack, while the Post Office offers postmasters compensation for their lost business.