LockBit and Royal Mail Ransomware Negotiation Leaked

Written by

The LockBit ransomware group has published a log of conversations between its operators and a Royal Mail negotiator showing the group demanded £65.7m ($79.85m) to safely return the company's stolen data following a January cyber-attack.

Hours after the incident, it was reported that the LockBit gang claimed responsibility for the attack, which disrupted Royal Mail operations for several days.

Fast forward to yesterday, when the hacking group leaked the whole conversation between them and a Royal Mail negotiator, which according to ITPro, lasted almost three weeks.

"When LockBit moves to publish the negotiation conversation, it usually happens after the fact, when they have written off any chance of getting paid, to serve as a deterrent to future victims," explained Tim Mitchell, security researcher and LockBit thematic lead at Secureworks.

"The message being: if you don't pay, we can publish files and share this data too. But such a tactic can also leave the door open for further negotiations."

Case in point, the transcript of the negotiations shows the threat actor trying to convince Royal Mail to pay the ransom using various techniques. The first was to show that the decryptor for the stolen files worked—the second was to reduce the ransom amount to roughly £57.4m ($69.76m).

"There are still questions over what, if any, data LockBit has taken," Mitchell told Infosecurity in an email. "It seems the negotiator from Royal Mail was trying to establish this as well, playing for time with a formulaic approach to answers that didn't indicate an intention to pay at any point."

Royal Mail did not pay the ransom in the end, with the final deadline from the threat actor being February 09. Despite this, at the time of writing, LockBit has not publicly released the allegedly stolen data.

"Presuming the logs are authentic, it's a fascinating set of insights into the process and personalities involved in ransomware for those who've not seen it before," said Casey Ellis, founder and CTO at Bugcrowd.

"It's easy to forget that while cybercrime and ransomware operators present to most as shadowy, opaque entities out on the internet, they are composed of and run by people, including far more familiar functions like customer support and accounts receivable."

According to Mike Parkin, senior technical engineer at Vulcan Cyber, cybersecurity professionals can reduce the risk from attacks like this but they need to cooperate with the international law enforcement community to do so.

"The fact that these cyber-criminal gangs operate using business models borrowed from the legitimate business world shows how sophisticated they've become," Parkin told Infosecurity in an email.

"The challenge for law enforcement is dealing with gangs sponsored at the State level by nations that have no interest in cooperating with the rest of the world."

Beyond the Royal Mail attack, LockBit was also in the news last month for apologizing to a children's hospital and providing it with a free decryption key after a December 2022 attack.

What’s hot on Infosecurity Magazine?