Royal Mail's international deliveries in limbo after hack

UK postal and parcel service still locked in £65 million stand-off with ransomware hackers

Royal Mail has been subjected to a £65 million ransom demand. EPA
Powered by automated translation

The UK postal and parcel delivery company, Royal Mail, has been unable to give a date for when its international operations will resume as it remains locked in a stand-off with hackers.

The cyberattack could potentially end in a large-scale leak of company information.

Had you posted a Valentine's card in the UK earlier this week, you wouldn't have noticed any difference in the level of service.

But the hackers severely affected the international operations of the UK's main postal service last month and it has since been scrabbling to find workarounds to the problem.

People in the UK remain unable to send packages abroad from post offices across the country, while international deliveries may “take slightly longer than usual”, Royal Mail warned online.

"At this time, we are unable to process new Royal Mail parcels and large letters requiring a customs declaration purchased through Post Office branches. We are working hard to resume more services through Post Office branches and will provide further updates on these as soon as possible," the company said.

Who carried out hack attack?

The LockBit ransomware cartel, which is suspected of having roots in Russia, earlier this month confirmed the January 10 attack on Royal Mail.

It then threatened to release data stolen from Royal Mail's systems if a £65.7 million ($79.25 million) ransom was not paid by February 9.

When that date came and went, it seems LockBit then released a transcript of conversations on the dark web between it and the Royal Mail's negotiator.

LockBit came up with the ransom figure, claiming it was 0.5 per cent of the company's revenue.

It said the ransom would be far less than any potential fine that would be slapped on Royal Mail if it allowed its data to be made public.

Under EU data protection laws, which have been retained in the UK since Brexit, companies can be fined up to 4 per cent of their annual revenue if they lose personal data.

“As long as we haven’t published any of your files, you can’t be fined,” the LockBit hacker said.

However, this drew an angry response from Royal Mail's negotiator, who claimed LockBit had confused Royal Mail's revenue with that of its parent company, International Distribution Services (IDS).

“All we have had is losses," the negotiator wrote, pointing LockBit towards online articles written about financial losses and jobs cuts at Royal Mail.

“Under no circumstances will we pay you the absurd amount of money you have demanded."

Ransomware groups will often edit, tweak or fabricate parts of the negotiations they release, so it is not possible to confirm that part or all of the conversation logs are genuine.

Royal Mail has yet to officially confirm that LockBit breached its defences, encrypted its data and is now holding it to ransom.

"As there is an ongoing investigation, law enforcement has advised that it would be inappropriate to make any further comment on this incident,” a Royal Mail representative told The National.

“It is rare for the details of ransomware negotiations to find their way into the public domain. Those responsible for company cyber breach plans must learn lessons from them," said David Bicknell, Principal Analyst at GlobalData.

“Instead of negotiations being opaque, companies now have an unexpected insight into how ransomware groups’ minds work and how a negotiation might play out. They can also plan for the extent of a ransomware demand. LockBit demanded a ransom figure Royal Mail could not countenance paying."

"No-one will reasonably expect a company board to authorize a ransom payment of $80 million, unless the accountants said it was necessary to safeguard the business’s future."

“Boards must understand that ransomware could be a potential wrecking ball to their business. The time to develop an anti-ransomware strategy and enlist the help of cyber experts is before an attack happens.”

Ransoms paid?

LockBit has previous form in this area. Disruption caused by a ransomware attack on financial data firm ION Group late last month is continuing to be felt.

The incident impaired the ability of many City of London traders to do their jobs effectively and was still having a knock-on effect on the commodity derivatives operations of the exchange company Euronext a week later.

On Friday, February 3, the day before LockBit had threatened to release ION data, a spokesman for the hackers told Reuters that a ransom had been paid by a “very rich, unknown philanthropist”.

Updated: February 16, 2023, 1:18 PM