Russia-linked hackers behind Royal Mail cyber attack

royal mail
royal mail

A Russia-linked ransomware gang was behind the Royal Mail cyber attack that forced it to suspend international postal deliveries leaving more than half a million parcels and letters stuck in limbo, The Telegraph can disclose.

The attack, which has paralysed the postal service’s ability to send letters and parcels abroad, was carried out by a gang called Lockbit.

Lockbit’s signature ransomware scrambles files on computers and flashes up a message demanding payment in hard-to-trace cryptocurrencies as the price for unscrambling them again.

Sources familiar with the Royal Mail investigation said Lockbit’s ransomware, known as Lockbit Black, had infected machines used by the postal operator to print customs labels for parcels being sent to overseas destinations.

The ransom note, seen by The Telegraph, says: “Lockbit Black Ransomware. Your data are stolen and encrypted.”

Gang members also threatened to publish stolen data on a dark web site maintained by Lockbit.

“You can contact us and decrypt one file for free,” the note continues.

Royal Mail declined to comment. The company said on Wednesday: “We have asked customers temporarily to stop submitting any export items into the network while we work hard to resolve the issue”.

The National Cyber Security Centre, a branch of GCHQ, is helping Royal Mail clean up and remove the malicious software. The National Crime Agency is also investigating.

Printers at a Royal Mail distribution centre in Northern Ireland reportedly began “spurting” out copies of the ransom note, a known tactic of the Lockbit gang.

Staff at the postal service’s sorting office in Mallusk, north of Belfast, reported ransom notes being churned out of printing machines on Tuesday, according to the Belfast Telegraph.

Lockbit has previously made ransom demands of tens of millions of pounds and is thought to have extorted around $100m (£82m) in total from its victims over the past few years.

In November the Lockbit gang targeted the London-listed car dealership Pendragon, scrambling computers across its 200 sites and demanding a £60m ransom to unlock them.

Lockbit ransomware note
Lockbit ransomware note

The gang’s members are believed to have close links to Russia.

A Lockbit member said in a blog post published on the dark web last year: “We benefit from the hostile attitude of the West (towards Russia). It allows us to conduct such an aggressive business and operate freely within the borders of the former Soviet (CIS) countries.”

Tim Mitchell, a senior researcher at cyber security company Secureworks, said the impact of the attack was likely to be very serious.

He said: “The core individuals behind LockBit ransomware run arguably the most prolific ransomware-as-a-service scheme, so it’s no wonder it accounted for nearly a third of named victims across all ransomware leak sites in 2022.”

Russia-linked hacker gangs have been one of the main online threats to businesses over the last decade or more.

At the start of Russia’s invasion of Ukraine many gangs began carrying out cyber attacks at the direction of Russian spy agencies, according to cyber security researchers.

Prior to the February 2022 invasion, US President Joe Biden had held phone calls with Vladimir Putin to encourage his Russian counterpart to hand over suspects wanted by US law enforcement authorities.

“I made it very clear to [Putin] that the United States expects, when a ransomware operation is coming from their soil even though it’s not, not, sponsored by the state, that we expect them to act,” the US president said in July 2021.

Russian authorities have been slow to act against ransomware suspects wanted by the West.

Some gangs openly flaunt their stolen wealth in Russia, being seen driving cars such as Lamborghinis and Ferraris.

One alleged Lockbit member has been charged by US authorities with taking part in the gang’s global ransomware spree.

Mikhail Vasiliev, 33, of Bradford, Ontario, a dual Russian-Canadian citizen, is currently awaiting extradition from Canada. There is no suggestion that he was involved in the Royal Mail cyber attack.

Prosecutors allege Mr Vasiliev conspired to intentionally damage protected computers and sending ransom demands, charges which carry a maximum five year prison sentence.

The chief of the National Cyber Security Centre, Lindy Cameron, has previously described ransomware as the number one cyber threat facing British businesses.