Royal Mail Refused ‘Absurd’ LockBit Extortion Demand

Negotiations between the LockBit ransomware-as-a-service gang and Royal Mail appear to have broken down earlier this month, shortly after a postal representative called the ransomware group’s $80 million extortion demand “absurd.”

See Also: Live Webinar | Navigating the Difficulties of Patching OT

LockBit on Tuesday published a purported set of chat exchanges between itself and a Royal Mail representative that began Jan. 12, a day after Britain’s national postal service first warned customers of a digital incident disrupting international export services. The incident was ransomware from LockBit, a fact the gang was at first reluctant to acknowledge but later took credit for in public (see: LockBit Group Goes From Denial to Bargaining Over Royal Mail).

The published logs depict the two sides keeping up a text correspondence that dragged out until earlier this month, ending on a question posed by the LockBit representative: “Do you have any offer for me?” LockBit had threatened to release data stolen during the ransomware attack by Feb. 9, the date of the last chat exchange.

A Royal Mail spokesperson told Information Security Media Group that the investigation into the hack is currently ongoing and that it has been advised by law enforcement agencies to not make “any further comment on this incident.”

The ransomware incident incapacitated Royal Mail’s international package shipping operation. As of Wednesday, it’s still not fully restored. Most online services are back online but Royal Mail is unable to process new packages or large letters requiring a customs declaration from post office branches.

The logs show hackers demanding the company pay 0.5% of its earnings, which it said amounted to $80 million. The Royal Mail representative took issue with that number. “All we have had is losses. Here, you can read about it yourself,” the representative wrote, linking to a handful of news article including one from The Guardian reporting that Royal Mail expects fiscal year losses of about 350 million pounds.

The Royal Mail representative also told LockBit that any extortion demand would have to be approved by the board of directors and wrote, “I can’t just tell the board to hurry up.” From the Royal Mail’s perspective, the representative added, the stolen data has already been leaked, irrespective of whether LockBit publishes it.

On Jan. 28, the Royal Mail representative delivered the message that the postal service would not pay the demanded $80 million. “Under no circumstances will we pay you the absurd amount of money you have demanded,” the representative wrote. Hackers, the representative insisted, had attacked a small subsidiary of Royal Mail “without the resources you think we have.”

A few days later, on Feb. 1, LockBit responded that “out of respect for you, I’m willing to step up and give you a 12.5% discount.”

Thereafter, the pace of chats considerably slowed. “My manager told me that he is waiting to hear back from the board. He has promised me I’ll get an answer on Monday. I will let you know as soon as I hear anything,” the Royal Mail representative texted on Feb. 3.