LockBit and Royal Mail Ransom Negotiation Transcript Released
After more than three weeks of negotiations between LockBit and Royal Mail, the ransomware gang has published the complete negotiation transcript.
The attack was first detected on January 10. The company tweeted:
"We're experiencing disruption to our international export services and are temporarily unable to despatch items to overseas destinations,"
"Please do not post any export items while we work to resolve the issue. Sorry for any disruption this may cause."
Based on the timestamps of the messages, it appears that the negotiations started on 12 January and ended on 9 February.
Details of the Leaked Chat
LockBit demanded a ransom payment of $80 million (£65.7 million), which it claimed was just 0.5% of Royal Mail International’s annual revenue. They also highlighted how this was eight times less than the cost of a regulatory fine in the UK.
According to the leaked chats, Royal Mails’ negotiator said:
“Under no circumstances will we pay you the absurd amount of money you have demanded,”
“This is an amount that could never be taken seriously by our board.”
“All we have had is losses . . . there are several articles on Google about our financial situation and how bad it is currently.”
Early on in the negotiations, Royal Mail tried to get LockBit to prove that its decryptor would work on large files, saying that their management was not convinced it would. They attempted to convince LockBit to decrypt two files that amounted to a 6GB file size, and claimed these files would allow them to continue shipping urgent medical supplies.
Although LockBit seemed willing to comply with this initially, the chat showed that if LockBit were to hand over the files, Royal Mail would have been able to fully recover from the incident without paying for the decryptor. The ransomware gang said Royal Mail could send them large files to prove the decryptor worked.
LockBit did apparently reduce the ransom amount to £57.4 million – a 12.5% discount on the original sum, on 1 February.
On February 3, Royal Mail said that the offer was taken to the board of directors to review, and three days later they reiterated they were still waiting for a response. That was the final message from Royal Mail in the transcript.
LockBit sent its final message on 9 February “Do you have any offer for me”.
LockBit claimed if the ransom was not paid, the data would be released on February 9, however, the countdown timer on LockBit’s website ran down to zero and no data was published. The countdown timer has now reset, and the website reads ‘Royal Mail need a new negotiator’.
“International services have been reinstated to all destinations for purchase online and through our shipping solutions with the exception of a small number of International Untracked services for Business Contract customers where alternative services are available.”
“At this time, we are unable to process new Royal Mail parcels and large letters requiring a customs declaration purchased through Post Office branches. We are working hard to resume more services through Post Office branches and will provide further updates on these as soon as possible.”
Royal Mail has not yet officially confirmed that LockBit is holding its data ransom.
"As there is an ongoing investigation, law enforcement has advised that it would be inappropriate to make any further comment on this incident,” said a Royal Mail spokesperson to IT Pro.
The U.K.’s National Cyber Security Centre (NCSC) advise that “organisations should not pay ransom demands. They state this does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.”
Advice From Our Experts
Cyber Security and Incident Response Consultant, Nick Ilsley, gives us some insight into the rise of ransomware attacks.
Ransomware attacks have become increasingly prevalent in recent years, with numerous high-profile incidents such as Royal Mail and The Guardian making headlines here in the UK, and unfortunately, this trend is set to continue. There are a number of reasons as to why these attacks are becoming more frequent, one of which is down to the fact that they have been proven to be a highly effective way for cybercriminals to make money.
As more businesses move their data and operations online, there are more potential targets for cybercriminals to exploit. Sadly, ransomware attacks are likely to continue to become more frequent in the years to come, as the value of data continues to increase, the potential payout for cybercriminals grows.
While paying the ransom may seem like the fastest solution to regain access to your encrypted data, here at 3B Data Security, we recommend against this approach. There is no guarantee of a successful outcome, and paying the ransom could put you at higher risk of future cyber attacks. Businesses need to take the threat of ransomware attacks seriously and implement proactive measures to protect their systems.
Here are a few steps businesses can take to protect against ransomware attacks:
Regularly backup data – This will allow you to recover from a ransomware attack without having to pay the ransom. It’s important to make sure that your backups are kept offsite in a secure location, away from your main network.
Implement security tooling – Having the right security tools in place such as firewalls, antivirus software and intrusion detection systems can help to stop ransomware attacks before they even happen.
Educate employees – Your employees are often the weakest link in your security chain, so it’s important you provide sufficient training to help them identify and avoid malicious threats.
Plan for incidents – Develop an incident response plan that outlines what steps you should take in event of a ransomware attack. Having a plan in place will allow you to respond quickly and effectively, which will help to minimise damage to your business.
Here at 3B Data Security, we have worked with many businesses that have unfortunately fallen victim to ransomware attacks. We have a vast amount of experience in dealing with these types of incidents and can quickly respond and support organisations throughout the entire process.
With our support and guidance, we can effectively investigate the incident and determine how the attackers have been able to exploit your environment. With this knowledge, we can then advise you on proactive measures to put in place to prevent an incident like this from occurring again.
Get in touch with our team today to find out how we can help your organisation prevent and manage a cyber incident.