Royal Mail Hung Tough in LockBit Ransom Negotiations
Negotiators for the Royal Mail apparently played hardball with LockBit over a ransom demand that the mail service said was too high, prompting the attackers to lower their ask and reset the ransom deadline.
Insights into how ransoms are negotiated are few and far between, but the leaked transcript of chat logs showed the tactics taken by the UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA).
“Under no circumstances will we pay you the absurd amount of money you have demanded,” an unidentified Royal Mail negotiator said, according to a Techcrunch report, which showed screenshots of a transcript posted by LockBit. “We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board.”
“Presuming the logs are authentic; it’s a fascinating set of insights into the processes and personalities involved in ransomware for those who’ve not seen it before,” said Casey Ellis, founder and CTO at Bugcrowd.
“The fact that these cybercriminal gangs operate using business models borrowed from the legitimate business world shows how sophisticated they’ve become,” said Mike Parkin, senior technical engineer at Vulcan Cyber.
“It’s easy to forget that while cybercrime and ransomware operators present to most as shadowy, opaque entities out on the internet, they are comprised of and run by people—they include familiar functions like customer support and accounts receivable,” said Ellis. “These functions are vulnerable to the same kinds of manipulation that cybercriminals perpetrate on their victims.”
The January attack compromised Royal Mail’s ability to deliver some items internationally and came with a hefty ransom of around $80 million, or what the attackers calculated was 0.5% of Royal Mail’s annual revenue. After the mail service spurned the initial demand, the miscreants lowered the ransom to $70 million.
“It’s fascinating to see the inner workings of a negotiation like this, and the tactics used by both sides,” agreed Parkin.
Although much of the disruption has been resolved, Royal Mail is still suffering the effects of the attack.
“International services have been reinstated to all destinations for purchase online and through our shipping solutions with the exception of a small number of International Untracked services for Business Contract customers where alternative services are available,” the mail service said in a February 17, 2023 alert.
“Delivery of International items may take slightly longer than usual. Customers using International Tracked/International Tracked and Signed services may notice different tracking information as items leave the UK,” according to the update. “We are seeing some delays to some tracking events in a small number of destinations. As we continue to work with our partners to resolve this, if you cannot see tracking information for your items then it is likely to be available on the overseas’ posts own tracking websites. Please see here for more information.”
Royal Mail said it is not able “to process new Royal Mail parcels and large letters requiring a customs declaration purchased through post office branches” but is working “to resume more services through Post Office branches and will provide further updates on these as soon as possible.”
While the Lockbit cybercriminals likely published their negotiation logs with Royal Mail as a tactic to publicly pressure the postal service into paying its ransom, Darren Guccione, CEO and cofounder at Keeper Security said, “This disclosure provides a clear example of how reliant threat actors are on companies caving to their demands.”
When organizations fall victim to a ransomware attack, they face “a seemingly impossible decision to either pay a criminal organization or lose their data,” said Guccione.
“Royal Mail took a unique stance by pointing out that LockBit confused them with their parent company and the requested ransom would be impossible for them to pay,” he said. “While LockBit still controls Royal Mail’s data, Royal Mail’s refusal to pay the current ransom and the passage of time has taken power away from the LockBit threat actors who are being forced into making the next move, potentially against their own interests.”
Governments around the world advise against paying ransom for a number of reasons, chief among them that it encourages attackers to strike again and for others to enter the field. “If Royal Mail had paid LockBit’s ransom, it’s likely that another group could hit them again, knowing that they’re willing to comply,” said Guccione. “It’s also important to note that in many cases, the payment of a ransom doesn’t guarantee the cybercriminal will decrypt a victim’s files or reinstate access to their systems. They are criminals and, as such, they cannot be trusted.”
Image Source: Photo by Brett Jordan on Unsplash
