The LockBit ransomware gang has published what it claims is the full transcript of its negotiations with Royal Mail, which continues to experience disruption due to last month’s cyberattack.
The chat logs negotiating the ransom is the first data that LockBit has published following the cyberattack on Royal Mail, which left the British postal service unable to dispatch certain items overseas. This is despite the Russia-linked ransomware gang’s earlier threats to publish all stolen data on February 9. The logs appear to suggest that this is the day that negotiations between LockBit and Royal Mail came to an end.
Screenshots posted to LockBit’s dark web leak site, seen by TechCrunch, show that negotiations began on January 12, two days after the U.K. postal giant confirmed it had been compromised.
The chat logs, if authentic, show that LockBit demanded an $80 million ransom payment, which it calculated to be 0.5% of Royal Mail’s annual revenue. Royal Mail’s negotiator appears to tell LockBit that they have confused Royal Mail International with Royal Mail and that the organization would not pay the demand.
“Under no circumstances will we pay you the absurd amount of money you have demanded,” says Royal Mail’s unnamed negotiator, according to the screenshots posted by LockBit. “We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board.”
LockBit apparently then offered a lower ransom sum, dropping the figure to $70 million on February 1.
The U.K.’s National Cyber Security Centre, which is working with Royal Mail to investigate the breach, has long advised that organizations should not pay ransom demands, as this “does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.” The FBI also recommends that victims not pay ransom demands and instead take steps to preventatively back up data.
Royal Mail did not dispute the legitimacy of the chat logs when approached by TechCrunch, but declined to answer our questions. “As there is an ongoing investigation, law enforcement has advised that it would be inappropriate to make any further comment on this incident,” said a Royal Mail spokesperson, who declined to provide their name.
Royal Mail’s next steps remain unclear. As negotiations between the company and LockBit appear to have failed, for now at least, the company could soon be battling a larger fallout if stolen data is published online. LockBit’s dark web leak site currently says that “all available data” has been published, but this isn’t yet available to view.
The postal giant also continues to experience service disruption due to the cyberattack, more than a month later. In an update dated February 14, the company said that while it has made progress — international services were reinstated to all destinations for purchase online — it’s still unable to process new Royal Mail parcels and large letters requiring a customs declaration purchased through Post Office branches.
ate on Friday, Twitter announced a new policy that will remove text message two-factor authentication (2FA) from any account that won’t pay for it. In a blog post, Twitter said that it will only allow accounts that subscribe to its premium Twitter Blue feature to use text message-based 2FA. Twitter users that don’t switch to a different […]
The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare. Many of the patches fix zero-day vulnerabilities already being exploited in […]
government watchdog has published a scathing rebuke of the Department of the Interior’s cybersecurity posture, finding it was able to crack thousands of employee user accounts because the department’s security policies allow easily guessable passwords like ‘Password1234’. The report by the Office of the Inspector General for the Department of the Interior, tasked with oversight […]
Leave a Reply