The LockBit ransomware attack that severely hampered Royal Mail’s international delivery system would have cost the organization no less than $70 million if it had decided to pay up, according to chats leaked by the attackers. The original ransom demand was $80 million.
The leak comes as part of a gradual document dump by the LockBit ransomware group, meant to pressure the UK’s leading mail service into making a payment. The chat logs show a flustered Royal Mail International representative attempting to explain to the attackers that it is a smaller subsidiary that does not have access to tens of millions of pounds for ransom payments. The attackers apparently hit upon the $80 million total by calculating 0.5% of Royal Mail’s total annual revenue, but even $70 million would eat up nearly all of the quarterly profit of some of the subsidiary groups that handle international parcels.
LockBit ransomware hits international mail division, hackers don’t understand subsidiary structure
International Distributions Services PLC is the parent company of Royal Mail and subsidiaries such as Parcelforce Worldwide and GLS that handle international parcel deliveries as part of the Royal Mail International division. Believing that they had access to the full resources of International Distribution Services, the LockBit ransomware gang made a ransom demand that would likely bankrupt any of the international subsidiaries by eating up entire months of their revenue.
The leaked chat logs show that the sides began negotiating over the ransom demand on January 12, two days after Royal Mail publicly reported being compromised. The LockBit ransomware gang had previously threatened to begin leaking stolen data on February 9, but the negotiation log was released on February 14 and is the first such item to appear. The group has not yet released anything else, raising questions as to whether it actually exfiltrated anything of value prior to locking up the organization’s servers. Time will tell if more Royal Mail documents appear on the gang’s dark web leaks site.
The LockBit ransomware gang also attempted to threaten Royal Mail with the prospect of a data breach fine from their government, which the spokesperson also responded to incredulously. The hackers pitched the idea of the ransom demand being a means of keeping the incident quiet and thus avoiding a UK ICO penalty, but Royal Mail indicated that the government was already aware of the incident.
Casey Ellis, Founder and CTO at Bugcrowd, notes that it is quite rare for ransomware gangs to leak negotiations communications and that this provides some unique insights into how they pressure victims over an extended period: “Presuming the logs are authentic, it’s a fascinating set of insights into the process and personalities involved in ransomware for those who’ve not seen it before. It’s easy to forget that while cybercrime and ransomware operators present to most as shadowy, opaque entities out on the internet, they are comprised of and run be people, include far more familiar functions like customer support and accounts receivable. These functions are vulnerable to the same kinds of manipulation that cybercriminals perpetrate on their victims.”
Outrageous ransom demand refused despite international shipping chaos
The most persuasive negotiation tack taken by the LockBit ransomware gang was likely a demonstration of the file decryptor unlocking a sampling of the organization’s encrypted files. The incident has wreaked havoc on international mail services since early January, and continues to be an issue. As of February 14 the organization said that it had restored shipping to all international destinations for online purchases, but that larger letters and parcels that require a customs declaration at a Post Office branch could still not yet be processed.
The Royal Mail negotiator appeared to use a wily trick here, noting that the LockBit ransomware gang is not entirely without a heart and offered a free decryptor key to a children’s hospital that it hit in December 2022. Under the ruse of a test of the ability of its decryptor tool to unlock large files, the negotiator sent the attackers two large files that would have enabled it to restore its systems if unlocked. LockBit appeared to catch on to that gambit, however, and asked Royal Mail to send different large files for the demonstration.
The LockBit ransomware side did eventually appear to realize that they were dealing with a smaller subsidiary with an independent board that was not as well funded, but then pivoted to insisting that the company’s upper executives had personal cryptocurrency funds that they could tap into to satisfy the ransom demand.
Royal Mail has a number of competitors in the UK for shipment of parcels and small letters, but it was somewhat unique in its fee structures for large letters, offering a discount for items that other carriers charge parcel rates for. The fallout from the ransom demand has thus had a disproportionate impact on smaller businesses that sell smaller items that fell into that niche, or that regularly needed to send collections of documents, who are facing essentially double their normal shipping costs so long as this aspect of Royal Mail is out of service.
Melissa Bischoping, Director of Endpoint Security Research at Tanium, notes that the decision to not scrape up the money for the ransom demand may have also been influenced by fears that it would encourage the attackers to come back with another ridiculous demand in the future: “Even if your data is decrypted, double- and triple-extortion ransomware may mean that you could be asked to pay again to prevent your data from being released to the open market, journalists, or third-party buyers on the dark web. Even if you successfully recover your data, the costs of brand and reputation damage as well as insurance premiums, legal fines, and lost business add to the overall cost of a breach. Return attacks with additional rounds of ransom payments are also possible, and as many as 40% of those victimized a second time have be convinced to pay.”
“Tested incident response plans are critical. While negotiations may buy time, having a well-established, tested incident response plan that includes informing executives, communications partners, and board of directors will maximize efficacy. This allows for precious time to assess the scope and impact of the situation and make a decision. Ransomware actors may only have exfiltrated a small amount of insignificant data but are relying on fear and urgency to pressure you into paying faster. Preparedness and clear communication are essential during this time. This is especially important given that ransomware operations are usually the cause of significant business outages, so ensuring safety and sustainability of operations is also ongoing while negotiations take place. Prioritization and coordination among all teams are paramount,” advised Bischoping.

