After weeks of negotiations, the LockBit ransomware gang remains empty-handed in their attack on leading UK mail service Royal Mail. After an initial ransom demand of $80M was rebuffed, and the two sides failed to agree on an acceptable payment, LockBit is beginning to leak stolen documents beginning with the negotiation conversations.
The whole incident is unusual for a number of reasons. While dumping stolen documents is not an uncommon pressure tactic, it is extremely rare for negotiations over ransom demands to be leaked. The LockBit ransomware gang also did not seem to understand that the international shipping division they hit did not have the funds or authority to pay such a huge ransom demand, and when it finally got through to them they insisted that the executives personally cover the amount from their own cryptocurrency holdings.
International shipping difficulties for large letters and small packages as weeks of ransom demand negotiations unfolded
The ransomware attack took place in early January, and Royal Mail is still dealing with disruptions to some of its services. Shipping to international destinations has largely been restored, but the company still has issues with large letters and smaller parcels of comparable size that need a customs declaration to ship.
The LockBit ransomware group offered a demonstration of its decryption tool as part of the negotiations, and appear to have linked to stolen data to confirm the breach (though the links to the data no longer work). It also insisted on a ransom demand that was calculated based on the entirety of Royal Mail’s annual revenue, rather than the specific international branch it hit, and would not back down to what the company’s board considered a reasonable amount to settle things.
Strangely, once the LockBit ransomware hackers were convinced that the international shipping division did not have access to the kind of money they were demanding, they insisted that the executives had personal cryptocurrency holdings that could be used to pay the ransom demand instead.
International shipping operations still recovering from LockBit ransomware
While the $80M ransom demand would have been a fraction of International Distributions Services PLC’s overall revenue, as the LockBit ransomware hackers posited, that demand would have been the bulk of the quarterly revenue of some of its international mail subsidiaries. At one point in the negotiations, Royal Mail linked to news articles demonstrating that its fortunes have not been good over the past year.
With the possibility of a payment off the table, all that remains is exactly what the LockBit ransomware group will leak and when they will leak it. It is unclear if Royal Mail will face regulatory action for the data breach, something that LockBit tried to use as a bargaining chip (to no avail). Having only leaked the negotiations thus far, LockBit has yet to demonstrate that it actually exfiltrated data that is worthy of a ransom demand.