Royal Mail ransomware attackers threaten to publish stolen data

Royal Mail workers are to hold 19 days of strike action over pay and terms and conditions during the peak postal build-up to Christmas.

Royal Mail has been hit by a ransomware attack by a criminal group, which has threatened to publish the stolen information online.

The postal service has received a ransom note purporting to be from LockBit, a hacker group widely thought to have close links to Russia.

Royal Mail revealed that it had been hit by a “cyber incident” on Wednesday, and said it was unable to send parcels or letters abroad. The company asked customers to refrain from submitting new items for international delivery, although domestic services and imports were unaffected.

Ransomware attackers exploit gaps in organisations’ security to install their own software and encrypt files so they are unusable. They then ask for a ransom, often in cryptocurrency, which can be harder to trace because it is not reliant on the banking system.

Printers at a Royal Mail distribution site near Belfast in Northern Ireland started printing ransom notes, according to the Telegraph. The note said: “Lockbit Black Ransomware. Your data are stolen and encrypted.”

Online security researchers posted photographs purporting to show the ransom note on social media.

Royal Mail has reported the incident to the UK’s government-run National Cyber Security Centre, the National Crime Agency and the Information Commissioner’s Office. It has not publicly revealed any details regarding the nature of the incident.

Organisations that have been hit by ransomware range from the National Health Service to businesses of almost every size. The Guardian was hit by a ransomware attack last month.

Andrew Brandt, a principal researcher at Sophos, a cyber security company, said the Lockbit ransomware software is thought to have been developed by criminals mainly from Russia and other former Soviet republics. It gives criminal affiliates access to the software in exchange for a cut of any ransoms.

Ransom demands against organisations listed on a publicly available website ranged from around $200,000 (£165,000) to almost $1.5m, Brandt said.

“Something Royal Mail is going to have to consider is whether or not they are going to pay a ransom,” Brandt said. “I’m a bit of a purist and [say] they should never pay these people anything.”

However, it can be a “delicate balance” for organisations depending on the severity of the attack and what data has been taken, he said.

Royal Mail has not indicated when it expects to be able to resume international deliveries. The company has already been heavily affected by workers’ recent strike action, and a new ballot is planned this month to approve further industrial action in the dispute over pay and changes to working conditions.

Smaller exporting companies are thought to be the most affected by the delays. Tina McKenzie, policy chair of the Federation of Small Businesses, said companies had already been through “a tumultuous Christmas period after postal strikes, and this latest cyber incident is the last thing they need”.

It is “an already challenging time” for smaller exporters, she said. “In the context of global supply chain disruption, rising shipping costs and more paperwork, this creates a very worrying picture.”

Read more:
Royal Mail ransomware attackers threaten to publish stolen data