Royal Mail ransom note leaked, LockBit’s role remains uncertain

After having been linked with the “cyber incident” affecting the UK’s Royal Mail Group, the LockBit ransomware operation has denied its members were behind the assumed attack.

Ransom notes began printing at Royal Mail’s sorting office in Mallusk, Northern Ireland, on Thursday evening revealing threats of data leakage if a ransom wasn’t paid, the Belfast Telegraph reported.

Images of the ransom note, which claimed to be authored by the operators of LockBit Black - the gang’s third version of the ransomware (also known as LockBit 3.0) that shares code with Black Matter’s payload - were shared widely throughout the evening.

The note claimed Royal Mail’s data were “stolen and encrypted”, and that it would be published on its deep web-based leak site if the ransom was not paid.

Also included were two URLs that led to online portals through which the hackers could be contacted, and a decryption ID to enter once one of the contact sites were accessed.

The URLs are thought to be the same as those found on the ransom note received by the André Mignot hospital in Versailles last month.

The attack forced patients to be moved and was later attributed to LockBit Black ransomware, however, the decryption IDs were not issued by LockBit itself in this case.

Per a report from Bleeping Computer, which contacted LockBit, the ransomware gang has denied involvement in the attack on the British multinational postal company.

Security researchers have raised questions over the legitimacy of LockBit’s denial.

The builder for LockBit Black was leaked in September by a group which claimed to have hacked LockBit’s servers.

This means that hackers, in theory, don’t need to be official ‘affiliates’ of LockBit’s ransomware as a service (RaaS) programme in order to launch attacks using its software.

However, the contact URLs supplied in the note directed to LockBit’s website and the decryption ID initially worked, but after the ransom note was leaked, researchers have reportedly said the ID is no longer valid.

If the decryption ID did work at some point in time, as one expert confirmed, it could either mean LockBit actually did conduct the attack, or an unaffiliated attacker launched the ransomware while also having privileged access to LockBit’s official website so they could create a negotiation chat portal for Royal Mail.

Asked for confirmation of the leak’s legitimacy, the UK’s National Cyber Security Centre (NCSC) and Royal Mail both told IT Pro that they would not be disclosing any details at the time of writing.

The National Crime Agency (NCA), also involved in the ongoing investigations, did not respond to requests for comment.

What is the “cyber incident” at Royal Mail?

Royal Mail confirmed on Wednesday evening that it was suffering the effects of a “cyber incident” which continues to ‘severely disrupt’ the international shipping branch of its business.

“We are temporarily unable to despatch items to overseas destinations,” read its incident update page. “We strongly recommend that you temporarily hold any export mail items while we work to resolve the issue. Items that have already been despatched may be subject to delays. We would like to sincerely apologise to impacted customers for any disruption this incident is causing.”

Very few details of the incident have been revealed other than that the NCSC and NCA are involved in the investigation, and the Information Commissioner’s Office (ICO) has also been informed.

Royal Mail has never described the incident as an ‘attack’ and all parties involved have yet to confirm that the incident is ransomware in nature.

“We are aware of an incident affecting Royal Mail Group Ltd and are working with the company, alongside the National Crime Agency, to fully understand the impact,” the NCSC said in a brief official statement.

As of Friday, Royal Mail’s overseas shipping processes remain severely disrupted.

IT Pro will continue to report on the story as it develops.