View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 23, 2023updated 29 Jun 2023 10:35am

More Royal Mail data leaked by LockBit as international dispatch resumes after ransomware attack

As the postal service gets more deliveries up and running, data belonging to its employees has leaked onto the dark web.

By Claudia Glover

The UK’s Royal Mail has announced that its international dispatch service is back up and running after two months of disruption following an attack by ransomware gang LockBit. The cybercriminals today released fresh data purportedly belonging to Royal Mail, which Tech Monitor understands to be genuine.

Royal Mail datasets
Royal Mail data leaked online as services return to operation. (Photo by Johannes Plenio/Unsplash)

These actions appear to be a bid to pressure the organisation into paying the ransom, something that the Royal Mail has so far refused to do.

International deliveries resume after Royal Mail cyberattack

The international dispatch service provided by the Royal Mail is back in operation, following its temporary halt due to LockBit’s ransomware attack last month. 

“Royal Mail International Export services have now been reinstated to all destinations for purchases online, through shipping solutions and over the counter at Post Office branches,” says a service update released today. “We would like to apologise to impacted customers for the disruption this incident is causing.”

However, the consequences of the Royal Mail ransomware attack may continue for some time as, according to LockBit’s dark web victim blog, the gang appears to have released data belonging to the service’s employees.

LockBit releases Royal Mail data?

LockBit first threatened to release data two weeks ago if a ransom demand wasn’t paid, but the deadline came and went without this occurring. Now the deadline appears to have been moved to today according to screenshots from the gang’s blog seen by Tech Monitor. 

This indicates LockBit is still hopeful that it will receive some money from the hack. The blog describes the latest deadline as the “last chance to prevent leaks of [Royal Mail] information. We are ready to make a discount, remove the stolen information and provide a decryptor for $40m. There will be no more delays, after the timer expires all the data will be released.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Data of employees at the Royal Mail has already been leaked online. Tech Monitor understands that these files are genuine. They appear to relate to up to 200 employees and the data may be historical, some batches being up to ten years old. It is thought those affected are currently being contacted by Royal Mail.

LockBit’s leader, whose identity is unknown, appears to be particularly angry that the Royal Mail is refusing to pay the ransom, explained chief security strategist and ransomware researcher at Analyst1, Jon DiMaggio. He believes this individual is “just as interested in his reputation and brand as he is in making money”.

“They’re really upset that [the Royal Mail] didn’t pay,” DiMaggio says. “He wants them to pay. He feels that the organisation has the money, but spends it unwisely, and that they should pay him instead. That was something that he said in one of the criminal forums.”

The data released online may not be all of the data that LockBit has stolen, continues DiMaggio. “Normally what we would see right now should be everything,” he says. “But when it comes to massive amounts of data, it may not be easy to get all of that data released, so there could be more coming.”

LockBit and the Royal Mail Hack

This is the latest instalment of a saga that began in January, when the Royal Mail admitted a “cyber incident” was disrupting its international dispatch service, triggering knock-on effects throughout the rest of the company. 

Days after this announcement, the LockBit took responsibility for the hack by printing out the ransom using label printers at a Royal Mail depot in Belfast, reading: “Your data are stolen and encrypted. The data will be published on the Tor website,” it said. 

Based in Russia, LockBit has been one of the most active ransomware gangs observed in recent months. The gang was responsible for 33% of the ransomware attacks in the past six months of 2022, a 94% increase compared to its 2021 activity, according to research from cybersecurity vendor NCC Group.

Read more: So what are Labour’s tech policies, exactly?

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.