View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 13, 2023

LockBit 3.0 ransomware gang claims responsibility for Royal Mail cyberattack

Ransom notes from the gang have reportedly appeared on the postal service's printers following this week's attack.

By Claudia Glover

Ransomware gang LockBit 3.0 has claimed responsibility for a cyberattack on Royal Mail which disrupted services this week. The gang has threatened to publish the stolen data online. 

LockBit 3.0 claims Royal Mail cyberattack. (Photo by salarko/Shutterstock)

The postal service announced that it had been the victim of a “cyber incident” earlier this week, knocking its international transport capabilities offline and slowing down other services.

LockBit 3.0 responsible for Royal Mail attack

The Royal Mail was informed that it has been the subject of a cyberattack when its printers began producing labels featuring a ransom. Workers at a Royal Mail depot in Belfast first spotted the note from LockBit 3.0, also known as LockBit Black, The Telegraph reported.

The note reads: “Your data are stolen and encrypted. The data will be published on Tor website.” The note then provides a decryption ID for Royal Mail representatives to log in to their computers to negotiate with the gang.

The public-facing branch of LockBit, called LockBitSupport, has denied any involvement with the cyberattack, citing other cybercriminals using its builder technology. The gang’s builder was leaked on Twitter in September of last year, meaning that any cybercrime gang could be using it to attack the Royal Mail and pin the blame on LockBit.

However, this would not explain the links on the Royal Mail ransom note to LockBit’s Tor negotiation site. The ransom demand has not been released.

A brief statement issued yesterday morning by Royal Mail says: “Delivery and collection services will take place across the UK today,” hinting at ongoing issues with its international dispatch services. 

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

This could potentially be the second breach that the company has suffered in as many months, following an incident in November that knocked the company’s Click & Drop services offline.

Who isareLockBit?

LockBit is a prolific ransomware gang responsible for numerous high-profile attacks in and around the UK. It is currently in its third regeneration, having first been spotted in 2019. It has racked up a long list of high-profile victims since its first generation three years ago. According to a report by the Infosec Institute, LockBit attacked more than 850 victims in 2022. The gang mainly targets companies in Europe, the UK and the US.

One of its most notable attacks hit the NHS last year, when employees at the 111 service were reduced to working with pen and paper after its systems were disabled. It took several days to get the service back up and running.

The gang also attacked UK insurance company Kingfisher in October, claiming to have lifted over a terabyte of information from the company including the personal data of employees and customers. 

LockBit is thought to be a reincarnation of prolific ransomware gang BlackMatter and DarkSide, the gang that famously shut down the Colonial Pipeline in the US.

Ransomware hits The Guardian

The Royal Mail ransomware revelations come days after The Guardian announced that its ongoing cyber issues have also been down to a ransomware gang. The national newspaper warned its staff, who have been working from home since the attack in December, that their data appears to have been accessed by an as-yet unidentified hacking gang.

Personally identifiable information such as names, national insurance numbers, addresses, dates of birth, bank account information, salary information and identity documents such as passports were all said to have been accessible to the perpetrators of the attack. The gang apparently accessed the paper’s systems through a successful phishing attack, and its statement to staff this week said it has “seen no evidence that data has been leaked online thus far.”

The Guardian has not yet released any information regarding the ransom. Data regulator the Information Commissioner’s Office has been informed.

Read more: Rackspace ransomware investigation provides little new detail for disgruntled clients

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.