Royal Mail refused to pay ‘absurd’ LockBit ransom, chat logs say

The LockBit ransomware gang has published what it claims is the full transcript of its negotiations with Royal Mail, which continues to experience disruption due to last month’s cyberattack.

The chat logs negotiating the ransom is the first data that LockBit has published following the cyberattack on Royal Mail, which left the British postal service unable to dispatch certain items overseas. This is despite the Russia-linked ransomware gang’s earlier threats to publish all stolen data on February 9. The logs appear to suggest that this is the day that negotiations between LockBit and Royal Mail came to an end.

Screenshots posted to LockBit’s dark web leak site, seen by TechCrunch, show that negotiations began on January 12, two days after the U.K. postal giant confirmed it had been compromised.

The chat logs, if authentic, show that LockBit demanded an $80 million ransom payment, which it calculated to be 0.5% of Royal Mail’s annual revenue. Royal Mail’s negotiator appears to tell LockBit that they have confused Royal Mail International with Royal Mail and that the organization would not pay the demand.

“Under no circumstances will we pay you the absurd amount of money you have demanded,” says Royal Mail’s unnamed negotiator, according to the screenshots posted by LockBit. “We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board.”

LockBit apparently then offered a lower ransom sum, dropping the figure to $70 million on February 1.

The U.K.’s National Cyber Security Centre, which is working with Royal Mail to investigate the breach, has long advised that organizations should not pay ransom demands, as this “does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.” The FBI also recommends that victims not pay ransom demands and instead take steps to preventatively back up data.

Royal Mail did not dispute the legitimacy of the chat logs when approached by TechCrunch, but declined to answer our questions. “As there is an ongoing investigation, law enforcement has advised that it would be inappropriate to make any further comment on this incident,” said a Royal Mail spokesperson, who declined to provide their name.

Royal Mail’s next steps remain unclear. As negotiations between the company and LockBit appear to have failed, for now at least, the company could soon be battling a larger fallout if stolen data is published online. LockBit’s dark web leak site currently says that “all available data” has been published, but this isn’t yet available to view.

The postal giant also continues to experience service disruption due to the cyberattack, more than a month later. In an update dated February 14, the company said that while it has made progress — international services were reinstated to all destinations for purchase online — it’s still unable to process new Royal Mail parcels and large letters requiring a customs declaration purchased through Post Office branches.