Blog

What We Learned from The Royal Mail Ransomware Chat

Mar 10, 2023

DC - Royal Mail Ransom Chat By Dave Cartwright, CISSP 

In February 2023, something very unusual happened. Following a ransomware attack on Royal Mail International, a division of the U.K.’s (formerly state-owned) mail and parcel delivery service, the negotiation between the firm’s representatives and the LockBit ransomware attackers made it into the public domain . 

As reported in January 2023 , Royal Mail engaged with the U.K. National Crime Agency (NCA) and National Cyber Security Centre (NCSC), and part of the resulting activity was to negotiate with representatives of LockBit – without much success. 

The first thing of note is that the chat covers a time period of nearly a month – from January 12 to February 9. As can be seen in the transcript, many of the gaps between messages are several hours long. 

Early in the chat, in the early afternoon of January 12, the Lockbit staffer asks: “To whom am I speaking” (the use of the word “whom” is surprisingly good English, incidentally) and is told: “I work in our IT. Our senior management have asked me to contact you”. If that were true, the U.K.’s cyber community would be scratching its collective heads: no IT person was ever allowed to engage with a third party in this way, and the writer is far more likely to be an NCSC or NCA officer.  

The interchange deals with the attackers decrypting some sample files to prove that decryption is possible (as a ransomware victim you need some level of conviction that paying a ransom stands at least a non-zero change of getting the data back). The files provided by LockBit seem to be highly benign (PNG images and log files) despite RM trying to pull on the heartstrings of LockBit by asking for files about medical equipment shipments to be decrypted (“It’s associated with medical devices that can’t yet be shipped out because this file is locked”). Although Royal Mail doesn’t get what it wants, the files provided appear to show that decryption is possible. 

The attackers also know their data protection law, at least to an extent. On January 25 they said: “0.5% of annual global turnover is much less than a 4% fine from your government”. The figure of 4% relates, of course, to the penalties that can be incurred under GDPR: “administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”. Though their argument is wrong when they say: “As long as we haven’t published any of your files, you can’t be fined” – the fact that they have the data in the first place classes this as a breach under data protection legislation. 

How Much? 

The main sticking point of the conversation is around the revenues and profits of Royal Mail. Lockbit are asking a ransom of 0.5% of Royal Mail’s revenues. According to the annual figures, Royal Mail turned over £12.71 billion in the financial year to April 2022, which equates to $15.78 billion as at January 25 exchange rates. On this date the attackers tell Royal Mail: “$80 million is 0.5% of your revenue”, or in other words they’re saying that revenues are $16 billion for the previous financial year. It’s clear, then, that the 2021-22 revenue figure for Royal Mail plc is the one upon which LockBit are basing their figures. 

Royal Mail makes two arguments in an attempt to persuade LockBit to reduce the ransom. First, they point out that business is far from booming, citing articles from UK newspapers including The Guardian . This clearly leads to something of an impasse because the Royal Mail negotiator is clearly saying to LockBit: you’re basing your demands on last year’s figures but this year we’re performing much less well.  

The second argument used by Royal Mail is to point out that the entity that was attacked was not the group as a whole, but the much smaller “Royal Mail International”. On January 27 (15 days after the attack started), Royal Mail tells LockBit: “Trying to explain we are Royal Mail International, who is a separate entity, with an entirely independent Managing Director and Senior Official, and not “Royal Mail” as the overall entity. What you attacked is just a small portion and our revenue is not that of Royal Mail”. The RM representative cites a turnover estimate of $800 million for the current year, while LockBit attempts to shoot this down by saying “800 million is your net profit per year” – which isn’t quite true (2021-22 profit was £577 million, or $716 million).  

Interestingly in this latter exchange, Royal Mail does not take the opportunity to cite any sources or point to official documents as evidence of the existence of “Royal Mail International” or the facts around its financials. Given that LockBit provide the Wikipedia URL of Royal Mail Group’s entry as their source of information, it should perhaps be a surprise that the Royal Mail representative does not counter with links to clear information about the “separate entity” they are claiming to be. And the London Stock Exchange entry cited earlier does state very clearly that “International volumes have decreased significantly versus the pre-pandemic year, down 44%”, which may have helped. 

What Did We Learn? 

In many ways, the transcript of the discussions between Royal Mail and LockBit raises as many questions as it answers. The attackers seem to have proven that they really have the files and their ransom demand appears to be based on publicly available financial information. For its part, Royal Mail tried hard to have the ransom reduced (which raises the question of whether it in fact intended to pay the ransom). But one has to wonder why, if they wanted the ransom to be recalculated based on the lower turnover of the “separate entity” that is Royal Mail International, they didn’t provide any publicly available evidence of its existence or revenues. 

Some data has now been leaked, with the ransom demand dropping to $40 million and a revised deadline. Earlier this month, the ransom had fallen further, to $33 million, following leakage of part of the data.