Businessman using calculator showing ransomware recovery costs

Royal Mail’s LockBit Ransomware Recovery Will Cost the Company More Than £10 Million

Royal Mail’s parent company, International Distribution Services (IDS), has published its ransomware recovery costs from the devastating January 2023 LockBit cyberattack.

The British postal service strung along the LockBit ransomware gang and eventually refused to pay the Russian cyber gang’s $80 million ransom demand. The company engaged the cybercrime group for nearly a month, hoping to recover the encrypted data without paying the ransom.

Subsequently, the ransomware gang leaked the entire ransom negotiation discussions and the stolen data, and refused to provide the decryption key Royal Mail requested to ship medical supplies.

Although Royal Mail saved a huge chunk of the requested ransom amount, it continues to incur significant costs and losses from the LockBit ransomware attack.

Royal Mail’s ransomware recovery costs exceed £10 million

On November 16, 2023, Royal Mail’s parent company, International Distribution Services (IDS), published its half-year financials, revealing the true impact of the cyber incident and its associated ransomware recovery costs.

The report shows that IDS recorded a 6.5% year-on-year revenue drop of $27 million (£22 million), resulting from the cyber security incident and industrial action. The company also recorded a corresponding 5% decrease in international parcel deliveries completed during that period.

“International parcel volumes, including import and export parcels for Royal Mail and Parcelforce Worldwide, were down 5 percent year-on-year, a result of the global macroeconomic backdrop, the cyber incident in January 2023, and recovery from industrial action,” International Distribution Services said in a regulatory filing.

Similarly, infrastructure costs increased by 5.6% to $12.4 million due to ransomware recovery costs and systems resilience improvement after the LockBit ransomware attack.

“Also included are the costs of remediation and systems resilience improvement following the cyber-attack on the Heathrow Worldwide Distribution Centre of £10 million ($12.4m),” IDS said.

According to Sophos’ State of Ransomware 2023 report, ransomware recovery cost was $165,520 for companies with annual revenue of less than $10 million and $5 million for those with yearly turnover exceeding $5 billion.

Ransomware recovery is a convoluted process; thus, the final cost will likely exceed the stipulated amount.

“Remediation could include activities like system recovery and rebuild,” said Steve Cobb, CISO at SecurityScorecard. “Ransomware infections will many times leave systems unusable, so they must be rebuilt from scratch and this could include purchasing new hardware and new virtual services.”

“This is many times true even if the company pays the ransom and gets a decryption key. The decryption process is typically ineffective and just gives an organization access to unencrypted data that then must be migrated to a functioning infrastructure. This is very time-consuming and costs lots of money,” added Cobb.

Rebuilding the infrastructure from scratch permanently dislodges the threat actor from the company’s network to prevent subsequent attacks.

Apart from ransomware recovery costs, IDS is concerned about Royal Mail’s performance, given the challenges the parcel distribution business faces. Among them is the company’s unfavorable salary increment deal with the Communication Workers Union (CWU) to end the strike. Nevertheless, a continued strike would still have negatively impacted the company’s revenue and customer experience.

“The business is focused on recovering customer relationships,” Royal Mail stated.

International Distribution Service’s concerns about Royal Mail’s performance are justified, given that the company recorded a total loss of $395.8 million (£319 million) during the first half of 2023, which includes Royal Mail and GLS.