Royal Mail appears to call LockBit’s ransomware bluff – loses gigabytes of data

Data loss to ransomware - the new cost of doing business?
24 February 2023

The backlog from the Royal Mail ransomware attack is being cleared.

On January 10th, 2023, the UK’s Royal Mail became the first major player to be hit by a ransomware demand this year.

The attack – by the LockBit Group, one of the most notorious collectives of cybercriminals in the world, using what some analysts regard as the most effective tool currently available for ransomware – crippled Royal Mail’s ability to send or receive parcels to and from anywhere outside the UK for six weeks, until, on February 23rd, the company announced it was safely processing international parcels again.

“Administrative business data.”

But as far as the world is aware, Royal Mail paid no ransom demand to the group (at least, the company has declined to confirm or deny that it has), instead progressively stalling for time until the group eventually released the company’s data online and denied it the decryptor that could have allowed Royal Mail (at least potentially, and assuming such a thing as “goodwill” exists in cybercriminal collectives) to keep hold of its data.

44GB of information taken from Royal Mail’s systems was released – and the exact nature of the data is currently shrouded in a veil of vagueness that could be intended to minimize the consequences of the company’s strategy, or which could, equally likely, be just as insignificant as the company says it is.

Right now, according to Royal Mail, the data-dump is relatively insignificant – at least commercially speaking. “At this stage of the investigation, we believe that the vast majority of this data is made up of technical program files and administrative business data. All of the evidence suggests that this data contains no financial information or other sensitive customer information. We continue to work closely with law enforcement agencies,” the company said.

Other observers have noted that the files dumped appear to include staff medical statuses, and the disciplinary detail of individual staff who no longer work for the company. It’s coldly arguable that therefore, Royal Mail holds no responsibility for the data – though the individuals concerned might view the situation significantly differently, as part of the company’s historic labor supply chain.

It’s important to acknowledge the idea that the company performed a calculation of the value of the data the criminals had encrypted, and ultimately – after much discussion – appeared to decide it wasn’t worth rewarding the criminal behavior of the attackers for. Whether that would have remained a viable stance had the encrypted data been central to the existence of the Royal Mail’s business remains a question for cybersecurity theorists.

All of the data?

It is also, until it’s denied, possible that the Royal Mail paid some undisclosed amount of money to the hackers to lower the amount or the sensitivity of the data that was released, but the LockBit Group itself released what it says are the full transcripts of its ransom communication with Royal Mail, and they do not appear to lead to a conclusion that the company paid anything. Indeed, there is a mention on the transcript of Royal Mail refusing to pay what it called an “absurd” ransom for its data. Right now, it’s only the refusal of Royal Mail to say it paid nothing that casts any doubt on that question. Presumably, the truth will need to come out in time when Royal Mail’s shareholders take a look at the company’s performance over the financial year.

A complex institution.

While the company lost six weeks of potential income from the cyberattack, part of what saved it from more critical calculations of damage is the labyrinthine nature of the business’ make-up – and the degrees of data segregation entailed by that make-up.

For the first 499 years of its existence, the Royal Mail was a state-owned part of the national infrastructure. But beginning in 2011 and ending in 2015, it was privatized, since which time it has remained a crucial part of the national infrastructure of the country, but has operated as a commercial entity, with various parts of its functional profile sectioned off to act quasi-autonomously.

If that makes no sense to you, it’s probably not worth worrying about – it made no sense to the LockBit Group either, who, in its initial ransom demand, quoted $80 million as 0.5% of Royal Mail’s overall global annual turnover. As the company’s negotiator is shown explaining to the group in the released transcripts, the attack was only on Royal Mail International, the sub-division of the company that handles overseas parcel shipping and handling. It also has a separate parcel-handling division, known as ParcelForce, which was apparently unaffected by the cyberattack. And the part of the company that everybody thinks is Royal Mail – the buildings with counters in where you hand over letters and parcels? That’s not Royal Mail either – that’s the Post Office, technically another sub-division of the whole.

That fact of the Royal Mail’s division into sub-specialities with its own systems not only resulted in the LockBit Group halving its ransom demand to $40 million, but also probably saved the Royal Mail from significantly more devastating damage, as the International systems would usually be segregated from the systems of the “main” body of the company, which would make horizontal attacks much more difficult than would be the case in more centralized companies.

Who won?

As yet, the jury on the case is out, with some observers seeing it as a masterful deployment of negotiation and stalling tactics on behalf of the Royal Mail when confronted with an “absurd” ransom demand, and others pointing out that the ransomware group followed through on its threat to dump encrypted data, essentially flinging it to the dogs of the dark web, and that only its technically non-business-critical nature stops it being a disaster for at least Royal Mail International.

Which viewpoint ultimately wins out will likely depend on a) whether the dumped data represents all the data that was encrypted, b) whether, if not, there was any payment made to rescue more business-critical data, and c) what, if anything, happens next.

But either way, it’s important to understand that Royal Mail International was unable to fulfil its core function for six weeks while negotiations went on. As part of a company that forms part of the critical infrastructure of a country, it had the luxury to be able to do that. Whether smaller businesses would ever have the same luxury remains highly doubtful.