Posted on February 15, 2023 at 8:47 PM
Royal Mail rejects a £65M ransom ultimatum by the Lockbit hacking group
Royal Mail failed to pay an absurd ransom demand from a Russian cybercriminal group. Several online chats between the company and the threat actors show that the directors turned down an ultimatum created by the Lockbit ransomware group following an attack on the company.
Royal Mail turns down £65M ransom demand
According to these companies, the directors of the company did not agree to an ultimatum given by the Lockbit ransomware group. The threat actor group had demanded this ransom after blocking the international mail shipments after gaining unauthorized access into the Royal Mail software.
The ransomware group shared information on the dark web about the breach it had conducted. The online criminals involved in this breach attempted to use European Union laws to launch malicious campaigns against the company and arm twist it into giving 0.5% of its sales to the ransomware hackers.
The Lockbit hacking group targeted Royal Mail in January. The threat actor used the Black ransomware tool to target the organization. This hacking attack disrupted overseas parcel deliveries. The hackers also manage to lock the crucial printers that were needed to create customs labels.
Ransomware attacks have been rampant in the recent years. These attacks come with malicious software that will encrypt the files contained within the victim’s computers. The criminals that launch these types of attacks demand a ransom from the victim. In most cases, the ransom is paid in the form of cryptocurrencies.
A spokesperson from Royal Mail said that there would be an ongoing investigation into this breach and that law enforcement authorities had advised the company against sharing any more information about the matter to the public.
An obtained transcript of an online chat between the Lockbit threat actors and the person negotiating the ransom on behalf of Royal Mail revealed the amount that the hackers wanted to be paid by the company to decrypt the files of the postal operator. The hackers demanded £66M from the postal operator, which is equivalent to $80M. However, this amount was immediately rejected by Royal Mail.
A script of the chat included the Lockbit hackers saying, “$80M is 0.5pc of your revenue, $640M is 4pc of your revenue. We are asking 8 times less than your state. In addition to this price you get a decrypt of your data.” However, the negotiator speaking on behalf of Royal Mail responded to the demand saying that the government was already aware of the matter and if the government were to fine the operator, they would do so whether or not the ransom was paid.
One of the hackers in the ransomware group attempted to blackmail Royal Mail into paying this ransom. The criminal threatened the postal operator that it would inform authorities about the breach, urging them to agree to the ransom demand because it was less than the 4% fine that could be fined by the government.
The General Data Protection Regulation (GDPR) of the European Union demands that companies pay 4% of their yearly revenues if a breach on the company leads to the theft of personal information by the threat actors.
The GDPR law was retained in the UK despite the country leaving the European Union in early 2022 following Brexit. The Russian threat actor group released the chat data between itself and the postal operator on the dark web saying that the company needed to employ a new negotiator.
Threat analysts raise issues with negotiation strategy
Brett Callow, a threat analyst working with the anti-ransomware company known as Emsisoft commented on the terms of this negotiation saying that in such instances, the victims enter negotiations almost immediately despite lack of clarity of whether the ransom will be paid. Callow said that companies usually stall to ensure the information is not released to the public as they explore options of recovery.
The threat analyst also said that the hackers were also employing an odd strategy. According to him, hackers usually make the victims believe that the details of the negotiations will be kept private.
The Lockbit hacking group was linked to the attack on Royal Mail last month. The attackers usually converse in Russian and do not target companies based in Russian. However, the Russia-linked group has been actively targeting organizations in Western countries.
Advanced hacking groups including Lockbit also access sensitive information from victims to demand an increase in the ransom to guarantee that the data will not be released online. Some of the data that the company steals includes names, home addresses, financial data and digital copies of passports.