LockBit leaks more Royal Mail data after ransomware attack

The UK’s Royal Mail has announced that its international dispatch service is back up and running after two months of disruption following an attack by ransomware gang LockBit. The cybercriminals today released fresh data purportedly belonging to Royal Mail, which Tech Monitor understands to be genuine.

These actions appear to be a bid to pressure the organisation into paying the ransom, something that the Royal Mail has so far refused to do.

International deliveries resume after Royal Mail cyberattack

The international dispatch service provided by the Royal Mail is back in operation, following its temporary halt due to LockBit’s ransomware attack last month. 

“Royal Mail International Export services have now been reinstated to all destinations for purchases online, through shipping solutions and over the counter at Post Office branches,” says a service update released today. “We would like to apologise to impacted customers for the disruption this incident is causing.”

However, the consequences of the Royal Mail ransomware attack may continue for some time as, according to LockBit’s dark web victim blog, the gang appears to have released data belonging to the service’s employees.

LockBit releases Royal Mail data?

LockBit first threatened to release data two weeks ago if a ransom demand wasn’t paid, but the deadline came and went without this occurring. Now the deadline appears to have been moved to today according to screenshots from the gang’s blog seen by Tech Monitor. 

This indicates LockBit is still hopeful that it will receive some money from the hack. The blog describes the latest deadline as the “last chance to prevent leaks of [Royal Mail] information. We are ready to make a discount, remove the stolen information and provide a decryptor for $40m. There will be no more delays, after the timer expires all the data will be released.”

Data of employees at the Royal Mail has already been leaked online. Tech Monitor understands that these files are genuine. They appear to relate to up to 200 employees and the data may be historical, some batches being up to ten years old. It is thought those affected are currently being contacted by Royal Mail.

Content from our partners

LockBit’s leader, whose identity is unknown, appears to be particularly angry that the Royal Mail is refusing to pay the ransom, explained chief security strategist and ransomware researcher at Analyst1, Jon DiMaggio. He believes this individual is “just as interested in his reputation and brand as he is in making money”.

“They’re really upset that [the Royal Mail] didn’t pay,” DiMaggio says. “He wants them to pay. He feels that the organisation has the money, but spends it unwisely, and that they should pay him instead. That was something that he said in one of the criminal forums.”

The data released online may not be all of the data that LockBit has stolen, continues DiMaggio. “Normally what we would see right now should be everything,” he says. “But when it comes to massive amounts of data, it may not be easy to get all of that data released, so there could be more coming.”

LockBit and the Royal Mail Hack

This is the latest instalment of a saga that began in January, when the Royal Mail admitted a “cyber incident” was disrupting its international dispatch service, triggering knock-on effects throughout the rest of the company. 

Days after this announcement, the LockBit took responsibility for the hack by printing out the ransom using label printers at a Royal Mail depot in Belfast, reading: “Your data are stolen and encrypted. The data will be published on the Tor website,” it said. 

Based in Russia, LockBit has been one of the most active ransomware gangs observed in recent months. The gang was responsible for 33% of the ransomware attacks in the past six months of 2022, a 94% increase compared to its 2021 activity, according to research from cybersecurity vendor NCC Group.

Read more: LockBit claims attack on Italian tax office