Royal Mail's Attackers Linked to Russia-Backed LockBit

Written by

The infamous Russia-backed LockBit ransomware group has been identified as potential culprits behind the recent cyber-incident involving the UK's postal service.

On January 11, 2023, while Royal Mail’s international deliveries were severely disrupted because of a “cyber-incident,” printers at a distribution site of the UK’s postal service in Belfast, Northern Ireland, started printing ransom notes.

The note, first reported by The Telegraph, was headlined “Lockbit Black Ransomware. Your data are stolen and encrypted”.

LockBit is a prolific Russia-backed ransomware group that was recently in the spotlight for hacking Toronto’s Hospital for Sick Children (SickKids) in December 2022 before apologizing and handing back the decryptor, key free of charge.

Black Encryptor, Part of LockBit 3.0

The LockBit ‘Black’ ransomware is the latest version of the threat actor’s encryptor, launched in June 2022 and including code used by the defunct Black Matter ransomware group, Rik Ferguson, security researcher and VP of security intelligence at Forescout, noted on Twitter.

The Black encryptor is part of LockBit 3.0, the third version of the group’s project.

“One main thing that differs from the 2.0 [version of LockBit] is that the group has come up with another way to pressure and extort its victims. Until now, they were given a well-defined period of time to pay the requested ransom. However, in project 3.0, the collective seems to have included new possibilities for negotiations; Indeed, by paying a specific fee is now possible to extend the timer by 24 hours, destroy all data from the website, or download all data right away,” cybersecurity firm DuskRise explained on its threat intelligence blog.

Evidence of A LockBit Link

"Sources say that the notorious LockBit gang was behind the attack - this doesn’t come as a surprise to us as our annual 2022 data found that publicly disclosed attacks by this group increased a massive 600% over 2021,” Darren Williams, founder and CEO of Blackfog, told Infosecurity.

The ransom note printed at the Royal Mail site in Belfast also contained multiple links to the LockBit ransomware operation's Tor data leak sites and negotiation sites, including a 'Decryption ID' required to log in to chat with the threat actors.

“The image that has been shared online looks real enough. It is a match for previous LockBit ransom notes and fits their known modus operandi since at least 2021,” Ferguson told Infosecurity.

However, at the time of writing, neither LockBit nor Royal Mail have yet confirmed the attribution of the attack.

Royal Mail’s international deliveries are still on hold, and the postal service has not indicated when they expect them to resume.

Royal Mail has reported the incident to the UK’s government-run National Cyber Security Centre (NCSC), the National Crime Agency and the Information Commissioner’s Office. However, it has not publicly revealed any details regarding the nature of the incident.

Scope of Impact

“While we wait to see the fallout from this incident, there is little doubt that the ransom demand will be in the millions and that the data exfiltrated in the attack will find its way to the Dark Web if a ransom isn’t paid,” Williams said.

Tim Mitchell, senior security researcher at Secureworks’ Counter Threat Unit argued that “the scale of the impact of the incident will very much depend on the particular affiliate involved.”

“The core individuals behind LockBit ransomware run arguably the most prolific ransomware-as-a-service scheme, so it’s no wonder it accounted for nearly a third of named victims across all ransomware leak sites in 2022. Until we know the details of this incident, we won’t know for sure how impactful this will be long term on Royal Mail,” he said.

Image credit: Jarek Kilian / Shutterstock.com

What’s hot on Infosecurity Magazine?