Image: Liam Truong

Royal Mail trials ‘operational workarounds’ following suspected ransomware attack

Royal Mail, the British postage and courier company, said on Wednesday evening it was “trialing operational workarounds” to get services moving again following a suspected ransomware attack.

The company announced it had been impacted by a “cyber incident” last week, although it has not confirmed that the incident was a ransomware attack.

The Record has seen a copy of an extortion note sent to Royal Mail, claiming to be from the LockBit ransomware group, and printed out using printers connected to the company’s network.

The unusual method of sending the note had prompted some speculation that it could have been delivered by a third-party seeking to hijack any payment made to the actual attackers. However Allan Liska, a security researcher employed by The Record’s parent company Recorded Future, confirmed that the URL in the ransomware note had previously been used in LockBit attacks last July and September.

At the time the incident was disclosed, Royal Mail said it was “experiencing severe service disruption” and warned customers it was “temporarily unable to despatch items to overseas destinations.”

In an update on Wednesday evening the company said: “We are pleased to announce that we have resumed the export of letters which do not require a customs declaration to all international destinations.”

However Royal Mail has only begun to shift a limited number of its export posts and the company said “we continue to ask customers not to submit any new export parcels into the network. Our initial focus will be to clear mail that has already been processed and is waiting to be despatched.”

The postal company is one of the oldest organizations of its type operating in the world. It is considered to have been founded by Henry VIII in 1516 and was state-owned in various forms until being privatized in 2013.

Today the company is listed on the London Stock Exchange (LSE) and recorded revenues of just over £12.6 billion ($15.2 billion) in 2021.

Its share value has plummeted more than 50% since January 2022, though largely due to an ongoing dispute with labor unions rather than the cyberattack, with down just over 5% over the past four weeks.

“Royal Mail continues to work with external experts, the security authorities and regulators to mitigate the impact of this cyber incident, with a focus on restoring all services for export letters and parcels. Our import operations continue to perform a full service with some minor delays. Domestic services remain unaffected,” the company stated on Wednesday.

The profile of ransomware attacks has been rising in the United Kingdom in recent months, with recent attacks on The Guardian newspaper and other high-profile brands.

As of last November, ransomware incidents had been responsible for the majority of the British government’s recent crisis management ‘Cobra’ meetings attended by officials across different government departments.

British government sources dealing directly with the ransomware issue told The Record they saw no light at the end of the tunnel, even of the prospect of any improvements which could help the U.K. clamp down on the problem.

At the time they said they were seeing “an increasingly successful business model” with “ransom demands increasing” and “payments increasing” and it becoming “harder to avoid paying a ransom because the entire ecosystem is pushing that way.”

Royal Mail’s statement that it was trialing “operation workarounds” suggests that it has not attempted to make a ransom payment, although the company did not explicitly state whether it would do so if the workarounds failed.

The company added: “We would like to sincerely apologize to impacted customers for any disruption this incident may be causing. Please be assured our teams are working around the clock to fully resolve this situation.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.