Royal Mail’s ‘cyber incident’ appears to be a ransomware attack

Photo by Nathan Stirk/Getty ImagesBritish postal service Royal Mail’s ongoing cybersecurity incident is the result of an attack carried out using ransomware tools from Russia-linked hacking group LockBit, The Telegraph reports. Royal Mail disclosed the incident on Wednesday, saying...

Royal Mail’s ‘cyber incident’ appears to be a ransomware attack

British postal service Royal Mail’s ongoing cybersecurity incident is the result of an attack carried out using ransomware tools from Russia-linked hacking group LockBit, The Telegraph reports. Royal Mail disclosed the incident on Wednesday, saying that it’s unable to send packages internationally.

A ransomware note circulating on Twitter that was apparently sent to Royal Mail says that its data is “stolen and encrypted,” and threatens to publish it online if a ransom isn’t paid. The note namechecks “LockBit Black Ransomware,” which is thought to be LockBit’s latest encryptor. 

BleepingComputer reports that the ransom note contains links to the LockBit’s data leak and negotiation Tor sites. But when contacted for comment by the publication, a spokesperson for the hacking group said that it was not behind the attack, and said someone else might be using its tools after they leaked last September. If this were the case, BleepingComputer notes, then Royal Mail would have no way of communicating with the attacker since the note links to LockBit’s sites.

A service update posted on Royal Mail’s website dated January 13th says it still can’t send packages internationally. “Royal Mail is experiencing severe service disruption to our international export services following a cyber incident,” it reads. “We are temporarily unable to despatch items to overseas destinations. We strongly recommend that you temporarily hold any export mail items while we work to resolve the issue.”

The Telegraph reports that the ransomware has infected critical Royal Mail machines used to print customs labels for international shipments. The postal service, which was publicly owned prior to its privatization in 2013, is considered “critical national infrastructure,” according to BBC News.

“Our teams are working around the clock to resolve this disruption and we will update you as soon as we have more information,” Royal Mail’s notice continues. Its investigation is being assisted by GCHQ’s National Cyber Security Centre and the National Crime Agency. Royal Mail did not immediately respond to The Verge’s request for comment.

LockBit is a group widely believed to be based in Russia, The Financial Times reports. It’s been blamed for numerous ransomware attacks including against the Canadian town of St. Marys, Ontario, as well as the car dealership Pendragon and a childrens hospital, according to The Telegraph. The FT notes that the requested ransom for a business like Royal Mail is likely to be in excess of $1 million.