Learning from the Royal Mail ransomware

In Part 1 of this article, we spoke to Deryck Mitchelson, Field CISO at Check Point Software about the lessons that could be learned from the Royal Mail ransomware attack. We identified a handful of potential takeaways from the incident – which is still ongoing.

While we had Deryck in the chair, we asked him about what Royal Mail should do to fix its systems in response to the attack.

DM:

It’s a difficult one, because as we said in Part 1, in organizations like this – critical infrastructure organizations with a long history of public sector operation and some decades of private, profit-making ownership delivering critical infrastructure services – you’ll have a very diverse mix of systems, some of which are legacy, some of which are modern. You’ll want to get them all as modern as possible as fast as possible to avoid falling into the same problems again.

You focus on infrastructure upgrades, system upgrades focused on security, and you try not to hit your bottom line too hard. But as the Royal Mail would find, doing this sort of work will actually help the bottom line. My suspicion, though, is that when these systems are recovered, people will still probably ship things abroad using the Royal Mail. I suspect that, bit by bit, business will drip-feed back and people will continue to use the company. People will have contracts, it’s priced well, and it normally delivers what it says it will, so my suspicion is that it will get over this hump. But hopefully it will nevertheless try and improve the controls it has in place in order to make sure that this can’t happen again.

What actually happened?

THQ:

What do we think actually happened at Royal Mail?

DM:

Well, it seems to be connected back to LockBit 3.0 – we’ve seen a ransom note has been published, and whether it’s LockBit itself or some of the coding from LockBit, I suspect it will have had one of three threat vectors.

The first would be compromised accounts that they’ve got from access brokers on the dark web. Alternatively, it could well be vulnerabilities within remote access – that could be another threat vector for this kind of attack. Or thirdly, it could be things that have just come in through phishing.

THQ:

Phishing. In 2023.

DM:

Yeah. Phishing is still a huge threat vector for ransomware and my suspicions, looking at just about every LockBit attack that’s happened recently, is that it will have been one of these three threat vectors. The thing is, these three vectors are fairly easy to protect against if you’ve got the right controls in place and you’ve got the right investment.

THQ:

Can we infer anything from the attack about the type of attacker behind this ransomware demand?

To pay or not to pay.

DM:

Difficult, because of course, the builder code to conduct Lockbit 3.0 ransomware attacks was leaked back in September, so we have no real way of determining whether it’s a genuine affiliate of the LockBit group, or just a group using the LockBit encryption builder. Maybe NCSC will have more to go on. But it might take a bit of work to then tie down and actually work out which group has actually carried out this attack, given the builder code was leaked.

THQ:

What does the Royal Mail do now? Does it have to pay? Or is there a way around this sort of attack?

DM:

Depends. The advice it will be given will be clearly not to pay. But the internal pressure will be a different thing. How quickly will it be able to resume operations without paying? That will be down to the maturity of its operation and infrastructure. So if it thinks it’s going to be fairly quick to recover, without much data loss, or if it can switch across to disaster recovery and business continuity systems without much loss and have its systems up and running, then I would be suggesting not to pay anything. To be honest, it just feeds the beast anyway.

THQ:

Rewarding bad behavior, and more or less advertising to other groups that there’s a payday to be had?

DM:

To be fair, other groups probably know. I’ve mentioned the complexity of the systems at play in an organization like this, and it might not be as quick to recover as, say, a new disruptive organization in the mail-on-delivery marketplace, that maybe would be able to just switch on another cloud and have services up and running almost immediately.

So I don’t know. I suspect Royal Mail will have an outage for certainly a few days, if not into a few weeks [The attack has lasted for seven days at time of posting, and subsequent to the interview, Royal Mail promised it was addressing the need for ‘workarounds,’ as described by Deryck, to get services up and running again].

The executives will certainly be debating internally as to what they do. But certainly NCSC will be advising them not to pay any ransom. Whether they can ultimately afford to do that while they’re hemorrhaging money from services not delivered is a whole different question, and it’s one only they can answer.

Were you doing enough?

THQ:

In terms of the public perception and the public understanding of things like ransomware, technically, the longer the situation with Royal Mail goes on, the more people learn, which should be a good thing – but then it’s a question of where the blame for the attack is ultimately placed, isn’t it? Certainly, the attackers themselves are chiefly to blame, but could there be a point when the public asks those important questions – why weren’t you doing more to protect your service?

DM:

I would certainly like to see much more being done, because there’s not enough transparency and visibility over attacks like this. I would like to see much more pressure coming from consumer groups and customers, demanding more clarity and information and answers. And right now, I don’t hear a strong voice raised.

Do I still think consumers trust the Royal Mail as a brand? Absolutely. I think when consumers go to these websites, they just expect that these websites are secure, and that their information can’t be compromised, and that the services will be up and running.

I don’t think there’s enough pressure coming externally, to demand to understand what’s happening. There are too many ransomware attacks at the moment, too many things are getting impacted.

The main question I would be asking, coming in as an external adviser into the Royal Mail is “Were you were you doing enough?” Did you know of any weaknesses? For example, your remote access – the VPN that was used by a lot of people working remotely, connecting all those systems – was it patched? Was there definitely no weaknesses there? I would be asking those questions, and a host of other, technical safety questions, because I know security. But the bottom line – the question the public, and consumer groups, and even possibly politicians – can grasp and should be asking comes down to that overarching idea, and it’s an idea that every company and every organization out there should be asking itself, always.

Were you doing enough?