LockBit Group Goes From Denial to Bargaining Over Royal MailRansomware Remains a Royal Pain, as Criminals' Latest Extortion Attempt Highlights
The LockBit group has gone from denying it had any involvement in the ransomware attack on Britain's Royal Mail to trying to bargain for a ransom.
LockBit's site now lists Royal Mail as a victim and demands it pay a ransom by Thursday or else the attackers will dump online unspecified data that they claim to have stolen.
Like many ransomware groups, LockBit runs its own data leak site, where it will list a subset of victims who have not paid it a ransom. The goal of the site is to name and shame a victim into paying, typically by threatening to leak stolen data, whether or not any data has actually been stolen. If a victim doesn't pay, a group will typically dump any stolen data it has after its deadline passes, to warn future victims about the perils of not paying.
Shortly thereafter, however, LockBitSupp said that in fact, one of its top 10 most profitable affiliates was behind the attack.
Royal Mail continues to try and restore services following the incident. In the immediate aftermath, it urged British residents to not attempt to mail any letters or parcels that need to go abroad, saying it remained unable to export anything. Since then, some services have been restored.
In a Tuesday service update, 27 days after it got disrupted, the postal service says anyone who wants to send a parcel abroad must purchase shipping either online or through another service. "At this time we are unable to process new Royal Mail parcels purchased through Post Office branches," it says.
Royal Mail says it's clearing a massive backlog of letters and parcels, in some cases sending them via "alternative solutions and systems" to get them abroad, albeit with delays. Import services are also experiencing "minor delays," and it says it is "working hard to resume more services through Post Office branches and will provide further updates on these services as soon as possible."
Profit Trumps All
LockBit's about-face - "it wasn't us" to "it was us" - is a reminder that ransomware groups will continue to lie, cheat and steal, so long as they can profit at a victim's expense.
Isn't hitting a piece of Britain's critical national infrastructure - as in, the national postal service - risky? After DarkSide hit Colonial Pipeline in the United States in May 2021, for example, the group first blamed an affiliate before shutting down its operations and later rebooting under a different name.
While hitting CNI might seem like playing with fire, many security experts' consensus is that ransomware groups' target selection remains opportunistic. Both operators and any affiliates who use their malware, as well as the initial access brokers from whom they often buy ready-made access to victims' networks, seem to snare whoever they can catch and then perhaps prioritize victims based on size and industry.
What's notable isn't necessarily that LockBit - or one of its affiliates - hit Royal Mail, but that it decided to press the attack. While some groups will issue a free decryptor to healthcare institutions, this seems to be done as a PR move if they have disrupted a hospital or triggered geopolitical fallout. But not all groups issue free decryptors, and simply having a decryptor won't fix the time and expense required to overhaul infrastructure and restore systems.
So LockBit's continuing extortion play is significant precisely because the group doesn't appear to be running scared.
That's despite multiple law enforcement agencies no doubt already attempting to infiltrate this and other groups (see: LockBit Ransomware Group's Big Liability: 'Ego-Driven CEO').
There have been some outstanding successes of late, including the FBI and its German and Dutch counterparts infiltrating the infrastructure and operations of Hive, which was one of the world's most prolific ransomware operations. Law enforcement agents quietly passed decryption keys to victims, helping ensure that more than $130 million in potential ransoms never got paid.
While experts expect Hive to reboot or rebrand soon, any disruption of ransomware must count as good disruption (see: Will Hive Stay Kaput After FBI Busts Infrastructure?).
Unfortunately, LockBit and many other ransomware groups very much remain active, and there is no denying how much grief they continue to cause victims.