Royal Mail cyberattack linked to Lockbit gang
But Lockbit denies responsibility
The Russia-linked Lockbit ransomware gang has been linked to a cyberattack that disrupted Royal Mail's international export services this week.
Royal Mail, one of the biggest post and parcel companies in the world, said on Wednesday it was hit with a cyber incident that forced it to suspend international shipping operations.
An update on the company's website on Thursday showed it was still unable to ship items to other countries.
The firm has urged customers not to post any foreign export items until further notice, to avoid a build-up on the company's network.
Royal Mail has now confirmed the incident was a ransomware attack by the Lockbit group, or at least someone using their encryptors, according to The Telegraph.
The ransomware attack forced Royal Mail's printers, used for customs dockets, to print ransom notes. It also encrypted systems used for international shipping.
Lockbit's ransomware encrypts files on victim machines and displays a message demanding payment in cryptocurrencies, in return of a decryption key.
The ransom note printed by Royal Mail's printers claims to have been generated by 'Lockbit Black Ransomware' and threatens to leak stolen data on a Lockbit-run dark web site.
'You can contact us and decrypt one file for free,' the note continues.
The message also includes links to the Tor data leak and negotiation sites used by the Lockbit ransomware group, as well as a 'Decryption ID' needed to log in and communicate with the threat actors.
Security experts told BleepingComputer that this 'Decryption ID' was not working.
When BleepingComputer contacted LockbitSupport, the ransomware operation's public-facing representative, they claimed they had not targeted Royal Mail and that other threat actors using their leaked builder were responsible.
Attackers using ransomware exploit weak security measures to install their own software and encrypt data, rendering it useless. They then demand a ransom, often in the form of a cryptocurrency, which is more difficult to track than traditional currency.
The Lockbit ransomware has been seen around the world, with organisations in the United States, India, and Brazil among its frequent targets. Trend Micro refers to Lockbit as 'one of the most professional organised criminal gangs in the criminal underground'.
Lockbit is thought to be run primarily out of Russia.
In the past, the group has demanded tens of millions of pounds in ransom. Over the last several years, it is estimated to have extracted a total of around £82 million from its victims.
One of those victims was London-listed car dealership Pendragon, in November. Lockbit encrypted computers at 200 of Pendragon's locations and demanded a £60 million ransom for decryption.
Britain's Information Commissioner's Office is looking into the Royal Mail incident, and the National Cyber Security Centre is assisting with cleanup and removal of the harmful malware.
The National Crime Agency is also looking into the ransomware attack.