Royal Mail hackers demanded £65mn ransom
The LockBit hacking group that encrypted Royal Mail data sought a £65.7mn ransom from the company, a demand that the postal group’s board appears to have rebuffed, so setting the stage for a potential large-scale leak of company information.
Negotiations with the hackers fell apart after more than three weeks of back-and-forth that included discussions of Royal Mail revenues and the company’s business challenges, according to a log of the conversations released by LockBit.
The hackers demanded a new negotiator and have threatened to release large amounts of Royal Mail data if negotiations failed completely. The UK’s main provider of postal services has been racing to restore overseas parcel deliveries since its online defences were defeated by the LockBit group.
LockBit said it was demanding 0.5 per cent of the revenues of “Royal Mail International”, presumably referring to the annual sales of parent company International Distribution Services, which resulted in an argument between the unnamed Royal Mail negotiator and the hackers.
“Under no circumstances will we pay you the absurd amount of money you have demanded,” the negotiator said, according to the leaked chats. “This is an amount that could never be taken seriously by our board.”
Earlier, when asked by the hackers to estimate the company’s revenues, the negotiator lamented: “All we have had is losses . . . there are several articles on Google about our financial situation and how bad it is currently.”
Although IDS’s lucrative international parcels business has remained profitable, UK-based Royal Mail is losing money as it suffers from a declining letters business and several months of strike action.
Royal Mail declined to comment on the authenticity of the leaked chats. It is not uncommon during ransomware negotiations for hackers to release these communications in order to add pressure on their victims. The chats were first reported by ITpro.co.uk.
“As there is an ongoing investigation, law enforcement has advised that it would be inappropriate to make any further comment on this incident,” a spokesperson said.
Ransomware groups will sometimes doctor or forge parts of the negotiations they release, and it was not possible to confirm that these were the last communications between the two parties.
Royal Mail has yet to officially confirm that LockBit breached its cyber defences, encrypted its data and is now holding it ransom.
But its international services were crippled after it was targeted in early January. Royal Mail has been seeking workarounds and customers are now able to send parcels and letters overseas using its website. But Britons remain unable to send packages abroad from Post Offices across the country, while delivery of international deliveries may “take slightly longer than usual”, Royal Mail warned online.
The purported hackers are a relatively new, but prolific, player in a criminal syndication model called “Ransomware as a service”, where the hackers share methods and bespoke malware with junior hackers, and step in to help negotiations when they snag a major target.
Royal Mail is the biggest known target of the group, which security researchers predict will be the largest of its kind in the world in 2023. Royal Mail appears to have walked away from the negotiations after receiving a 12.5 per cent discount to the original ransom.
The Royal Mail negotiator asked LockBit to wait for a response from its board around February 3, and then does not appear to have returned to the bargaining table.
“What we can see by these conversations is how prepared LockBit is when it is coming to these negotiations. They know everything about the victim — revenue, size and even relevant regulations in the victim’s country,” said Shmuel Gihon, a security researcher at CyberInt who has followed the group closely.
At one point, the negotiator appears to have asked for help to decrypt a large file, saying it would allow Royal Mail to send out some crucial medical equipment, but was rebuffed by LockBit, who suspected a plan to decrypt crucial files that would allow Royal Mail to restore functionality.
“You’re a very clever negotiator — I appreciate your experience in stalling and bamboozling,” the LockBit negotiator said.
Read the full article Here