Cyber-attackers’ release version stalled talks about pay-off. UK postal group is at risk of data release
LockBit, the hacking group that encrypted Royal Mail data, demanded a PS65.7mn ransom. The postal group’s board seems to have rejected the demand, setting the stage for a large-scale leakage of company information.
According to LockBit, negotiations with hackers ended after three weeks of back and forth that included discussions about Royal Mail revenues and the company’s business challenges.
Hackers demanded a new negotiator and threatened to release large quantities of Royal Mail data if negotiations fail completely. Since its online defenses were defeated by LockBit, the UK’s largest provider of postal services has been trying to restore overseas parcel delivery.
LockBit claimed it was demanding 0.5% of the revenues from “Royal Mail International”, possibly referring to the annual sales by parent company International Distribution Services. This led to an argument between the hackers and the Royal Mail negotiator.
According to leaked chats, the negotiator stated that “Under no circumstances will I pay you the absurd sum of money you have requested.” Our board could not take this amount seriously.”
When asked by hackers to estimate company revenues, the negotiator said that all he had was losses. . . Google has many articles about our current financial situation.
IDS’s international parcels business remains profitable, but Royal Mail UK is in serious financial trouble. It has suffered from a declining letter business and several month of strike action.
Royal Mail refused to comment on authenticity of leaked chats. Ransomware hackers often release communications to increase pressure on their victims.
A spokesperson stated that law enforcement had advised that there was an ongoing investigation and it would not be appropriate to comment further on the incident.
Ransomware groups may alter or forge certain parts of negotiations that they release. It was impossible to confirm that these were the last communications between two parties.
Royal Mail has not yet confirmed that LockBit has breached its cyber defences and encrypted its data. They are now taking it, hostage.
However, its international services were rendered inoperable after it was targeted in early January. Royal Mail is looking for solutions and customers can now send letters and parcels overseas via its website. Royal Mail warns that international delivery may take longer than usual and Britons can still not send packages overseas from Post Offices in the UK.
They are a new but very active player in a criminal syndication system called “Ransomware as a Service”. This is where hackers share their methods and bespoke malware with junior hackers and help negotiate when they land a major target.
Security researchers believe that Royal Mail will be the most targeted group in the world by 2023. Royal Mail seems to have abandoned the negotiations after being offered a 12.5% discount on the original ransom.
LockBit was asked by the Royal Mail negotiator to wait until it received a response. This was around February 3. LockBit has not responded to this request.
“These conversations show how prepared LockBit when it comes to these negotiations. They have all the information about the victim, including revenue, size, and regulations applicable in the victim’s home country,” Shmuel Gihon of CyberInt, a security researcher who has closely followed the group.
The negotiator may have once asked for help to decrypt large files, saying that it would allow Royal Mail the send out crucial medical equipment. However, LockBit rebuffed him, suspecting a plan to decrypt critical files that would allow Royal Mail functionality to be restored.
The LockBit negotiator stated, “You are a very smart negotiator –I appreciate your experience with stalling or bamboozling.”