The world’s leading ransomware outfit LockBit has leaked the entire negotiation history between it and Royal Mail International, revealing a ransom demand of $80 million (£65.7 million).
The negotiations were presented as the full live chat between Royal Mail and LockBit. According to message timestamps, negotiations began on 12 January and ended on 9 February.
In a rare release of its kind, the full transcript of the negotiations offered a rare insight into the process of negotiating with LockBit. It also offers a window into the negotiation tactics of the National Cyber Security Centre (NCSC) and National Crime Agency (NCA), who were both confirmed to be involved in the investigation.
No actual data has been leaked on LockBit’s blog at the time of writing. However, links to data dumps were included in the chat history, though these appeared to have expired at the time of writing.
LockBit set the ransom at £65.7 million, a sum it calculated to be 0.5% of Royal Mail International’s annual revenue.
The cyber criminal’s negotiator highlighted how this was eight times less than the cost of a regulatory fine in the UK.
Royal Mail International claimed its annual revenue was “800 million” and cited an article from The Times showing how it has been suffering financially recently.
LockBit rejected this assertion, claiming it generated much more. The transcript revealed LockBit confused Royal Mail International with Royal Mail.
Winning the data-centric digital business in this decade
Dell’s adaptive, secure, and resilient portfolio for the digital business
This was confirmed after LockBit’s negotiator sent a Wikipedia link to Royal Mail’s page, clarifying where the confusion came from.
Royal Mail International from the early days of the negotiations tried to get LockBit to prove that its decryptor worked on large files after saying that the organisation’s management was not convinced it would, and would only decrypt small files if it ended up paying.
The first tactic it attempted was to convince LockBit to decrypt two files that together would amount to a 6GB file size.
Royal Mail International said the two files would allow it to continue shipping urgent medical supplies.
LockBit initially seemed willing to comply, but chats later appeared to show that LockBit realised by handing over the files, Royal Mail International would actually be able to fully recover from the incident without paying for the decryptor.
The ransomware gang’s negotiator then said Royal Mail International could send other large files over to prove the decryptor worked if it wanted.
This was one of the two key stumbling blocks the postal company said was contributing to the delays in negotiations, which spanned nearly a month.
The other was the starting point - the ransom - which was believed to be far too high.
Royal Mail International said it took the possibility of paying the sum to its board of directors, which branded the ransom “absurd” and that there was no way it would pay that sum.
“Under no circumstances will we pay you the absurd amount of money you have demanded,” its message read.
“We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board.”
In response, LockBit said any counteroffer Royal Mail could make “would be considered”, but that never came.
Its negotiator also expressed how frustrated they were at the stalling tactics from Royal Mail International.
“You are a very clever negotiator, I appreciate your experiencing in stalling and bamboozling, when you are trying to deceive you need to provide evidence for greater credibility, only a fool would believe in the honest word of a lawyer defending his client,” they said.
LockBit later offered a 12.5% discount to the original ransom sum, taking the total to approximately £57.4 million. This discount was made on 1 February.
Royal Mail International said on 3 February that it took the offer to its board of directors for review, asking LockBit to wait for its response.
Three days later, it reiterated that it was still waiting for a response. That was Royal Mail International’s final message in the transcript.
On 9 February, LockBit sent its final message: “Do you have any offer for me”.
It appears Royal Mail International did not pay, or ever consider paying the ransom, set by LockBit.
According to LockBit’s website, the data was originally due to be published earlier on Tuesday, however, the countdown timer reset and LockBit changed the website to read ‘Royal Mail need new negotiator’.
Creating a proactive, risk-aware defence in today's dynamic risk environment
Agile risk management starts with a common language
This followed a much earlier deadline set on 9 February - the date we now know the negotiations to have ended. The countdown set on LockBit’s website ran down to zero and no data was ever published.
This was possibly a scare tactic to force Royal Mail International into restarting negotiations.
LockBit has been known for its ‘PR stunts’ in the past, previously claiming attacks on both Mandiant and Thales, neither of which were genuine.
"As there is an ongoing investigation, law enforcement has advised that it would be inappropriate to make any further comment on this incident,” said a Royal Mail spokesperson to IT Pro.
The NCSC declined to comment.
The Royal Mail and LockBit saga
The leaking of Royal Mail’s data follows over a month of negotiations between the hackers and the UK’s postal service.
Royal Mail has remained largely silent on the matter since the news of the attack broke on 12 January, leading many to question the extent to which Royal Mail was disrupted.
Confirming the “cyber incident”, Royal Mail initially said its international shipping operations were severely disrupted.
These have since been restored bar “a small number of international untracked services for business contract customers”.
Royal Mail has never confirmed that the cyber incident it suffered was ransomware in nature, or even an ‘attack’, despite sources speaking to multiple news outlets confirming that to be the case.
The National Cyber Security Centre (NCSC) and National Crime Agency (NCA) both confirmed they were part of the investigation into the attack.
LockBit initially distanced itself from the incident, but later admitted that one of its affiliates carried out the attack.
