A ransomware group with links to Russia is suspected to be behind this week’s cyber attack disrupting Royal Mail’s international export services.
The postal service received a ransom note allegedly from LockBit, a hacker group widely thought to have close links to Russia, as reported by The Telegraph.
Printers at a Royal Mail distribution site near Belfast in Northern Ireland reportedly started printing ransom notes that said ‘Lockbit Black Ransomware. Your data are stolen and encrypted’.
On Wednesday, Royal Mail told customers sending parcels abroad that it was facing ‘severe service disruption’ due to a cyber incident.
The company asked customers to refrain from submitting new items for international delivery, although domestic services and imports were unaffected.
A statement said it was temporarily unable to despatch export items including letters and parcels to overseas destinations.
Royal Mail had reported the incident to the UK’s government-run National Cyber Security Centre, the National Crime Agency and the Information Commissioner’s Office.
’LockBit is a ransomware attack which couples extortion attacks. It automatically looks for potential suspects and then spreads the infection and encrypts all accessible computer systems on a network,’ said Jake Moore, Global Cyber Security Advisor at ESET.
‘Once data has been stolen and encrypted, the extortion tactics occur in order to make more money even if a backup process is in place,’ said Moore. ‘There are no existing Lockbit decryption tools,’
Preventive measures include using strong unique passwords in alliance with multi-factor authentication. Furthermore, systems need constant updating with the appropriate patches to ensure protection. Offsite and disconnected backups and a tested restore process are also vitally important.
Attacks using LockBit originally began in September 2019, when it was dubbed the ‘.abcd virus’ in reference to the file extension name used when encrypting a victim’s files.
Organizations in the United States, China, India, Indonesia, Ukraine, France, the UK and Germany have been past victims of this type of attack.
It’s unclear when Royal Mail will be able to resume international deliveries or if it will comply with ransom demands.
‘I always advise never to pay the ransom as it ultimately funds future cyberattacks but I know the pressure is usually forced upon them in these situations and all while hindsight looms on them,’ said Moore.
‘Paying ransoms will never guarantee the safe redelivery of the data and can often bring further problems – financially and physically,’
Moore thinks that this will be a ‘wake-up call’ for Royal Mail and other companies to update, reassess and better protect their systems.
What is LockBit, the Russian ransomware group?
LockBit 2.0, entered the cybercrime space in July 2021 as an extortionist syndicate bringing talented hackers together to achieve for-profit or even political goals.
On August 23, 2021, a Russian-speaking tech blog YouTube channel ‘Russian OSNIT’ published an interview with the representatives of LockBit uncovering details of their operations.
The hackers said that they did not attack healthcare and educational institutions or social services and charities.
‘We value our reputation and destroy all of the victim’s data if the ransom is paid, guaranteeing full confidentiality of the deal,’ they said in the interview.
Last year, a Russian LockBit ransomware operator was arrested in Canada by Europol.