Fraud Management & Cybercrime , Ransomware

Royal Mail Refused 'Absurd' LockBit Extortion Demand

Hackers Demanded $80 Million in Ransom
Royal Mail Refused 'Absurd' LockBit Extortion Demand

Negotiations between the LockBit ransomware-as-a-service gang and Royal Mail appear to have broken down earlier this month, shortly after a postal representative called the ransomware group's $80 million extortion demand "absurd."

See Also: OnDemand | Hacker’s Guide to Ransomware Mitigation and Recovery

LockBit on Tuesday published a purported set of chat exchanges between itself and a Royal Mail representative that began Jan. 12, a day after Britain's national postal service first warned customers of a digital incident disrupting international export services. The incident was ransomware from LockBit, a fact the gang was at first reluctant to acknowledge but later took credit for in public (see: LockBit Group Goes From Denial to Bargaining Over Royal Mail).

The published logs depict the two sides keeping up a text correspondence that dragged out until earlier this month, ending on a question posed by the LockBit representative: "Do you have any offer for me?" LockBit had threatened to release data stolen during the ransomware attack by Feb. 9, the date of the last chat exchange.

A Royal Mail spokesperson told Information Security Media Group that the investigation into the hack is currently ongoing and that it has been advised by law enforcement agencies to not make "any further comment on this incident."

The ransomware incident incapacitated Royal Mail's international package shipping operation. As of Wednesday, it's still not fully restored. Most online services are back online but Royal Mail is unable to process new packages or large letters requiring a customs declaration from post office branches.

The logs show hackers demanding the company pay 0.5% of its earnings, which it said amounted to $80 million. The Royal Mail representative took issue with that number. "All we have had is losses. Here, you can read about it yourself," the representative wrote, linking to a handful of news article including one from The Guardian reporting that Royal Mail expects fiscal year losses of about 350 million pounds.

The Royal Mail representative also told LockBit that any extortion demand would have to be approved by the board of directors and wrote, "I can't just tell the board to hurry up." From the Royal Mail's perspective, the representative added, the stolen data has already been leaked, irrespective of whether LockBit publishes it.

On Jan. 28, the Royal Mail representative delivered the message that the postal service would not pay the demanded $80 million. "Under no circumstances will we pay you the absurd amount of money you have demanded," the representative wrote. Hackers, the representative insisted, had attacked a small subsidiary of Royal Mail "without the resources you think we have."

A few days later, on Feb. 1, LockBit responded that "out of respect for you, I'm willing to step up and give you a 12.5% discount."

Thereafter, the pace of chats considerably slowed. "My manager told me that he is waiting to hear back from the board. He has promised me I'll get an answer on Monday. I will let you know as soon as I hear anything," the Royal Mail representative texted on Feb. 3.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing fraudtoday.io, you agree to our use of cookies.