Written by staff writer.
The hackers behind a ransomware attack on the UK’s Royal Mail have demanded £67 million (AU$117.3 million) in exchange for decryption keys, an amount the Royal Mail’s board has called absurd.
The ransom demand follows an early January cyber-attack on the UK postal entity that significantly disrupted international shipments, at one stage forcing it to stop receiving shipments, and continues to cause problems. In addition to encrypting software dealing with shipments, the negotiations also revealed that the hackers stole data during the attack.
“Is this showing all the data you have taken from us?” asks the Royal Mail negotiator on January 12 after the hackers supplied a link to some data files.
After quietly negotiating for weeks, the LockBit ransomware group publicly admitted responsibility on February 7. In a sign their patience was wearing thin, they threatened to start leaking data if the Royal Mail did not meet their ransom demands. The LockBit group originated in Russia. They produce malware of the same name. They also make it available as a ransomware-for-hire product to malicious actors located anywhere in the world.
In late January, the Royal Mail rejected the initial £67 million ransom demand. “Under no circumstances will we pay you the absurd amount of money you have demanded,” the transcript shows their negotiator saying.
Cybersecurity experts say it is unusual for an entire negotiation transcript to be released. The dialogue shows the Royal Mail negotiator working through a series of steps to buy time, establish a relationship with the LockBit negotiator, and ultimately attempt to resolve the issue.
“Instead of negotiations being opaque, companies now have an unexpected insight into how ransomware groups’ minds work and how a negotiation might play out,” said David Bicknell, a principal analyst at Global Data. “LockBit demanded a ransom figure Royal Mail could not countenance paying… Boards must understand that ransomware could be a potential wrecking ball to their business.”
“You need to pay,” said the LockBit negotiator on February 4. “If you want a discount, then make a counteroffer. We are here to have constructive negotiations, not for me to give you a discount after every bluff you make until you say I’m fine with getting a free decryptor and free removal of stolen information.”
For four weeks, the two negotiators maintained a dialogue. The Royal Mail negotiator said the LockBit negotiator misunderstood the postal entity’s financial resources and that the cyber-attack was delaying the shipment of vital medical supplies. On the other side, the LockBit negotiator argued the Royal Mail negotiator was bluffing, buying for time, and attempting to avoid any payment.
On February 6, the LockBit negotiator ran out of patience. “The data is ready to be published, and the decryptor is ready to be deleted,” he said. “You have had plenty of time to make your decision. Your time is up.”
Six weeks after the cyber-attack, the software behind the Royal Mail’s international shipments remains encrypted. It is forcing the postal provider to implement workarounds in some cases and suspend services in other cases, including the shipment of parcels and large letters requiring a customs declaration purchased through post office branches. The Royal Mail says they continue to work to restore services and resolve the “incident.”
