Ransomware gang LockBit 3.0 has claimed responsibility for a cyberattack on Royal Mail which disrupted services this week. The gang has threatened to publish the stolen data online. 

LockBit 3.0 claims Royal Mail cyberattack. (Photo by salarko/Shutterstock)

The postal service announced that it had been the victim of a “cyber incident” earlier this week, knocking its international transport capabilities offline and slowing down other services.

LockBit 3.0 responsible for Royal Mail attack

The Royal Mail was informed that it has been the subject of a cyberattack when its printers began producing labels featuring a ransom. Workers at a Royal Mail depot in Belfast first spotted the note from LockBit 3.0, also known as LockBit Black, The Telegraph reported.

The note reads: “Your data are stolen and encrypted. The data will be published on Tor website.” The note then provides a decryption ID for Royal Mail representatives to log in to their computers to negotiate with the gang.

The public-facing branch of LockBit, called LockBitSupport, has denied any involvement with the cyberattack, citing other cybercriminals using its builder technology. The gang’s builder was leaked on Twitter in September of last year, meaning that any cybercrime gang could be using it to attack the Royal Mail and pin the blame on LockBit.

However, this would not explain the links on the Royal Mail ransom note to LockBit’s Tor negotiation site. The ransom demand has not been released.

A brief statement issued yesterday morning by Royal Mail says: “Delivery and collection services will take place across the UK today,” hinting at ongoing issues with its international dispatch services. 

This could potentially be the second breach that the company has suffered in as many months, following an incident in November that knocked the company’s Click & Drop services offline.

Who isareLockBit?

LockBit is a prolific ransomware gang responsible for numerous high-profile attacks in and around the UK. It is currently in its third regeneration, having first been spotted in 2019. It has racked up a long list of high-profile victims since its first generation three years ago. According to a report by the Infosec Institute, LockBit attacked more than 850 victims in 2022. The gang mainly targets companies in Europe, the UK and the US.

One of its most notable attacks hit the NHS last year, when employees at the 111 service were reduced to working with pen and paper after its systems were disabled. It took several days to get the service back up and running.

The gang also attacked UK insurance company Kingfisher in October, claiming to have lifted over a terabyte of information from the company including the personal data of employees and customers. 

LockBit is thought to be a reincarnation of prolific ransomware gang BlackMatter and DarkSide, the gang that famously shut down the Colonial Pipeline in the US.

Ransomware hits The Guardian

The Royal Mail ransomware revelations come days after The Guardian announced that its ongoing cyber issues have also been down to a ransomware gang. The national newspaper warned its staff, who have been working from home since the attack in December, that their data appears to have been accessed by an as-yet unidentified hacking gang.

Personally identifiable information such as names, national insurance numbers, addresses, dates of birth, bank account information, salary information and identity documents such as passports were all said to have been accessible to the perpetrators of the attack. The gang apparently accessed the paper’s systems through a successful phishing attack, and its statement to staff this week said it has “seen no evidence that data has been leaked online thus far.”

The Guardian has not yet released any information regarding the ransom. Data regulator the Information Commissioner’s Office has been informed.

Read more: Rackspace ransomware investigation provides little new detail for disgruntled clients