LockBit Claims Responsibility For Royal Mail Attack

The Russia-linked LockBit gang has claimed responsibility for last month’s ransomware attack on Royal Mail and said it would publish stolen data if a ransom was not paid.

The gang claimed the attack in a post on its official forum and threatened to publish “all available data” on 9 February.

LockBit had previously been linked to the attack, which was detected on 10 January, in part because printed ransom notes included links to communication sites operated by the gang.

But LockBit had officially denied involvement in the ransomware incident until now, saying another group had carried out the breach using its LockBit 3.0 malware.

Export services

The gang told Bleeping Computer it had determined the attack was carried out by one of its affiliates.

The attack shut down Royal Mail’s international export services for parcels and letters, causing significant delays.

The firm asked customers to refrain from posting international items while it addressed the issues.

“We’re experiencing disruption to our international export services and are temporarily unable to despatch items to overseas destinations,” the company said on Twitter at the time.

“Please do not post any export items while we work to resolve the issue. Sorry for any disruption this may

We’ve resumed our International Standard & International Economy services for customers buying postage online. We’ve also resumed more International Standard services for business account customers.

For more info and the latest updates visit: https://t.co/5rSNKkEL2Y

— Royal Mail (@RoyalMail) February 3, 2023

Data risk

On Friday Royal Mail said it had resumed its International Standard and International Economy services for customers buying postage online, and had resumed more International Standard services for business account customers.

The company is understood to have developed ad-hoc systems to operate international services, but these remain subject to delays.

Royal Mail chief executive Simon Thompson has previously said the company believed no customer data had been stolen.

However, industry experts say those attacked by LockBit may be unaware of what data has been accessed.

Slow recovery

“When it comes to this particular gang, the threats are rarely empty and LockBit has always stolen more data than the victim actually realises,” said MyCena Security Solutions chief executive Julia O’Toole.

In its most recent update on the attack Royal Mail said it was “exporting an increasing number of items to a growing number of international destinations”.

“We are using alternative solutions and systems, which are not affected by the recent cyber incident and have been successfully despatching parcels and letters which were in our network before the cyber incident and our services which have recently reopened,” the company said.