LockBit ransomware group threatens Royal Mail with data leak deadline

Royal Mail is now listed on the LockBit ransomware group’s extortion site, with the criminals giving the company a deadline of Thursday, February 9, to make an extortion payment.

The listing, as is typical, claims “all available data will be published” without specifying what kinds of data the criminal group managed to steal. 

The British postage and courier company’s ability to dispatch parcels and letters to international recipients ground to a halt last month following what Royal Mail announced as a “cyber incident” on January 11.

An extortion note sent to the company by LockBit, and seen by The Record, claimed responsibility for the attack, although the listing itself was uploaded almost a month later. It was initially posted Monday before being updated Tuesday.

It is not clear what information the update provided as LockBit’s darknet website is notoriously unstable and is often unreachable.

The LockBit post is an indication that Royal Mail, which is listed on the London Stock Exchange (LSE) and recorded revenues of just over £12.6 billion ($15.2 billion) in 2021, has not paid a ransom or that negotiations have stalled.

The postal company said Tuesday it is aware "that an unauthorised third-party has said it plans to publish some data allegedly obtained from our network."

The vast majority of the data "is made up of technical program files and administrative business data," Royal Mail said. "All of the evidence suggests that this data contains no financial information or other sensitive customer information."

Royal Mail is one of the oldest organizations of its type operating in the world. It is considered to have been founded by Henry VIII in 1516 and was state-owned in various forms until being privatized in 2013.

Its share value has plummeted more than 50% since January 2022, though largely due to an ongoing dispute with labor unions rather than the cyberattack.

The attack makes Royal Mail one of LockBit’s many high-profile victims. The ransomware-as-a-service group is among the most prolific working online, with more than a thousand victims listed on its darknet site.

Read more: Undercover with the leader of LockBit

The incident affected a system associated with shipping mail overseas. Royal Mail said it was continuing “to make progress in exporting an increasing number of items to a growing number of international destinations.”

The company said it was using "alternative solutions and systems, which are not affected by the recent cyber incident" to get international parcels delivered that had been left clogging up its network in the wake of the attack.

"As a result of this progress and the continuing growth in capability of our alternative export solutions we have announced the restoration of many International export services,” the company said.

Royal Mail said it is still unable to process new parcels purchased through Post Office branches and encouraged customers who need to export items to use Parcelforce Worldwide service, or by dropping off items that have been labeled online.

"We are working hard to resume more services through Post Office branches and will provide further updates on these services as soon as possible,” the statement added.

The work to recover from the ransomware attack will be welcomed by British cyber authorities, who have stressed the importance of recovery as well as resistance to combat the impact of attacks.

Last March, the U.K.’s National Cyber Security Centre launched a ransomware hub “to support organizations improve their own resilience” which stressed “how you or your organization responds to and recovers from ransomware will hugely affect the impact of an attack.”

That hub was launched as the profile of ransomware attacks continued to rise in the United Kingdom, with recent attacks on The Guardian newspaper and other high-profile brands being a focus of national attention.

As of last November, ransomware incidents had been responsible for the majority of the British government’s recent crisis management “Cobra” meetings attended by officials across different government departments.

British government sources dealing directly with the ransomware issue told The Record they saw no light at the end of the tunnel, even of the prospect of any improvements which could help the U.K. clamp down on the problem.

At the time they said they were seeing “an increasingly successful business model” with “ransom demands increasing” and “payments increasing” and it becoming “harder to avoid paying a ransom because the entire ecosystem is pushing that way.”