Related Articles
LockBit has leaked the transcript of its negotiations with Royal Mail, revealing a ransom demand of over A$114 million.
The chat log was leaked only days after the latest payment deadline of February 14. Whilst Royal Mail didn’t pay, the attackers are yet to post the alleged stolen data.
The negotiation transcript began on the day of the attack, January 12, and ended on February 9, the original payment deadline according to ITPro.
The log offers a rare look at the negotiation tactics of both cybercriminal organisations and cyber defenders, in this case, the National Cyber Security Centre and the National Crime Agency.
According to the transcript, LockBit confused Royal Mail and Royal Mail international, claiming that the fee of A$114.5 million (£65.7 million) made up only 0.5 per cent of the latter’s annual revenue. It also pointed out that this payment would cost less than the 4 per cent fine it would receive from the Information Commissioner’s Office if the data became public.
Royal Mail responded saying that it was actually the smaller British subsidiary of Royal Mail International, its annual revenue was only £800 million, and that financial issues were affecting the institution of late, linking an article from The Times as proof.
Lockbit initially refuted these claims, to which the Royal Mail responded saying that it would never pay the “absurd” ransomware demand.
“Under no circumstances will we pay you the absurd amount of money you have demanded,” said the Royal Mail in the transcript.
“We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us.
“This is an amount that could never be taken seriously by our board.”
LockBit invited Royal Mail to provide counter offers, invitations which were ignored by the British institution.
On February 1, Lockbit lowered its demand to roughly A$100 million (£57.4 million). Two days later on February 3, Royal Mail negotiators took the new demand to its board, leaving LockBit to wait for a response.
#Lockbit and #RoyalMail chat leaked#Ransomware #CyberCrime #Negotiations #Cyber #CyberSecrity #InfoSec pic.twitter.com/z4K7iNoUmN
— mRr3b00t (@UK_Daniel_Card) February 14, 2023
On February 6, the Royal Mail sent its last message, saying it was still awaiting a response.
Lockbit extended the deadline to February 14, in an effort to restart negotiations, however Royal Mail ignored this.
The chat log, if indeed real, suggests that Royal Mail never intended to pay ransom.
“You are a very clever negotiator, I appreciate your experiencing in stalling and bamboozling, when you are trying to deceive you need to provide evidence for greater credibility, only a fool would believe in the honest word of a lawyer defending his client,” said LockBit during negotiations.
This is a move that has been supported by government institutions worldwide, such as the FBI, the U.K.’s National Cyber Security Centre.
Australia’s own government has also taken a stance against paying ransomware payments, with Minister for home affairs and cybersecurity Claire O’Neil saying that the government is considering outlawing paying hackers demands.
LockBit has said that the data it stole from Royal Mail has now been posted to its dark web site, although it is not yet available to view, suggesting that the group had no stolen data to leak in the first place.
The hacking group has held institutions for ransom in the past without having actually stolen data, such as with Thales and Mandiant.
someone seems to not be getting paid… #LockBit
I would be AMAZED if RM would ever have considered paying them.It bears a CROWN…. It’s called #ROYAL mail, I can’t imagine culturally as an organization paying criminals would have gone far..
It’s not nice they were a victim pic.twitter.com/nEtEohJRJt
— mRr3b00t (@UK_Daniel_Card) February 14, 2023
Despite the deadline having been passed, Royal Mail is not out of trouble yet, with the British postal service still experiencing service disruptions over a month after the attack.
In a press release updated on February 15, the organization said that it had made progress in restoring its services, but that in certain areas, customers should expect delays.
Daniel Croft
Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.
