IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Royal Mail ransom note leaked, LockBit’s role remains uncertain

The prolific ransomware operation has denied involvement but researchers remain sceptical

After having been linked with the “cyber incident” affecting the UK’s Royal Mail Group, the LockBit ransomware operation has denied its members were behind the assumed attack.

Ransom notes began printing at Royal Mail’s sorting office in Mallusk, Northern Ireland, on Thursday evening revealing threats of data leakage if a ransom wasn’t paid, the Belfast Telegraph reported.

Images of the ransom note, which claimed to be authored by the operators of LockBit Black - the gang’s third version of the ransomware (also known as LockBit 3.0) that shares code with Black Matter’s payload - were shared widely throughout the evening.

The note claimed Royal Mail’s data were “stolen and encrypted”, and that it would be published on its deep web-based leak site if the ransom was not paid. 

Also included were two URLs that led to online portals through which the hackers could be contacted, and a decryption ID to enter once one of the contact sites were accessed.

The URLs are thought to be the same as those found on the ransom note received by the André Mignot hospital in Versailles last month.

The attack forced patients to be moved and was later attributed to LockBit Black ransomware, however, the decryption IDs were not issued by LockBit itself in this case.

Per a report from Bleeping Computer, which contacted LockBit, the ransomware gang has denied involvement in the attack on the British multinational postal company.

Related Resource

Automate security intelligence with IBM Security QRadar SIEM

Simplify and improve threat detection, investigation and response with reducing overheads

Whitepaper cover with title, logo on black header banner, and bar graphsFree Download

Security researchers have raised questions over the legitimacy of LockBit’s denial. 

The builder for LockBit Black was leaked in September by a group which claimed to have hacked LockBit’s servers.

This means that hackers, in theory, don’t need to be official ‘affiliates’ of LockBit’s ransomware as a service (RaaS) programme in order to launch attacks using its software.

However, the contact URLs supplied in the note directed to LockBit’s website and the decryption ID initially worked, but after the ransom note was leaked, researchers have reportedly said the ID is no longer valid.

If the decryption ID did work at some point in time, as one expert confirmed, it could either mean LockBit actually did conduct the attack, or an unaffiliated attacker launched the ransomware while also having privileged access to LockBit’s official website so they could create a negotiation chat portal for Royal Mail.

Asked for confirmation of the leak’s legitimacy, the UK’s National Cyber Security Centre (NCSC) and Royal Mail both told IT Pro that they would not be disclosing any details at the time of writing.

The National Crime Agency (NCA), also involved in the ongoing investigations, did not respond to requests for comment.

What is the “cyber incident” at Royal Mail?

Royal Mail confirmed on Wednesday evening that it was suffering the effects of a “cyber incident” which continues to ‘severely disrupt’ the international shipping branch of its business.

“We are temporarily unable to despatch items to overseas destinations,” read its incident update page. “We strongly recommend that you temporarily hold any export mail items while we work to resolve the issue. Items that have already been despatched may be subject to delays. We would like to sincerely apologise to impacted customers for any disruption this incident is causing.”

Very few details of the incident have been revealed other than that the NCSC and NCA are involved in the investigation, and the Information Commissioner’s Office (ICO) has also been informed.

Royal Mail has never described the incident as an ‘attack’ and all parties involved have yet to confirm that the incident is ransomware in nature.

“We are aware of an incident affecting Royal Mail Group Ltd and are working with the company, alongside the National Crime Agency, to fully understand the impact,” the NCSC said in a brief official statement.

As of Friday, Royal Mail’s overseas shipping processes remain severely disrupted.

IT Pro will continue to report on the story as it develops.

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023