Royal Mail’s ‘Cyber Incident’ Turns Out to Be Ransomware

British postal service the Royal Mail has been hit by ransomware, rendering it unable to send any mail internationally and causing a huge backlog of undelivered packages.

Earlier this week, the Royal Mail requested(Opens in a new window) that customers stop posting any items intended for delivery outside of the UK. But it didn’t divulge details as to what had happened beyond a “disruption” and has since only referred to the situation as a “cyber incident(Opens in a new window).” The UK’s National Cyber Security Centre confirmed(Opens in a new window) it was working with the company and the National Crime Agency to “fully understand the impact” of what had happened.

As The Telegraph(Opens in a new window) reports, the incident turns out to be a ransomware attack by Russia-linked gang LockBit. Sources with knowledge of the investigation confirmed the LockBit Black(Opens in a new window) ransomware had been used to infect computers at the Royal Mail. Those computers are used to print the custom labels required to send post internationally, meaning no further exports can happen until they are unlocked.

LockBit left a note for Royal Mail stating, “LockBit Black Ransomware. Your data are stolen and encrypted … You can contact us and decrypt one file for free.” As is typical in a ransomware attack, the gang is threatening to publish the stolen data if the company doesn’t pay—a so-called “double extortion” technique making it harder to ignore.

For now, Royal Mail isn’t commenting, but it’s reportedly working with the Cyber Security Centre and Crime Agency to unlock the computers without paying the ransom. However, it seems the only way for organizations to protect themselves against LockBit is to avoid infection through mitigation technqiues. Once an infection has occurred, the options are limited.