After recent news that Royal Mail was experiencing a severe cyber attack that caused extreme disruptions to its services, meaning customers were unable to send mail or parcels overseas, it has been announced that the incident is connected to a Russian-linked ransomware gang.

Its latest advice is for people not to try to send international letters and parcels until the cyber issue is resolved.

The ransomware in question is a software called “Lockbit”. The BBC reports that it has seen a ransom note sent by the criminals to Royal Mail which reads: “Your data are stolen and encrypted.” It’s widely speculated that the ransom in demand will be millions, but whilst the software is connected to Russia, the hacker could be anywhere. 

In light of this update, Richard Staynings, Chief Security Strategist at Cylera, has provided updated commentary on the attack, and why this announcement has ‘raised the stakes significantly’.

Cylera is a company responsible for securing much of the NHS and other critical infrastructure industry and Richard serves on a number of government and non-governmental committees.

“If this is a state-sponsored cyberattack against a UK national critical industry, then the stakes just got raised significantly”

“Yesterday it became apparent that at least some of the Royal Mail’s IT systems had been hit with a ransomware attack. This had encrypted some IT systems and caused the display of a ransom note demanding payment in largely untraceable cryptocurrency for the decryption key. The note also threatened to publish stolen data on a dark website if payment was not received. By late Thursday, label printers at The Royal Mail’s Mallusk facility, north of Belfast were spewing out ransom notes rather than customs labels, a known tactic of the one ransomware gang in particular, Lockbit.

“Investigation showed all the signs of a ‘Lockbit Black’ (Lockbit 3.0) attack, a ransomware-as-a-service (RaaS) scheme run by organised crime syndicates from the Confederation of Independent [Russian] States (CIS) compromising much of the former Soviet Union.

While the application code and infrastructure of a RaaS are developed and owned by a powerful Russian crime syndicate, affiliates are free to hire the gang’s exploits, infrastructure, and other capabilities to launch cyberattacks against victims. In return they are required to buy-in to the service and to pay a percentage of their ill-gotten gains to the syndicate. The more prolific they are the smaller the percentage they must pay.

“This does smell a lot like the actions of a highly malicious Russian government actor. The Kremlin has made multiple threats to the UK and other countries about its support for, and supply of arms, to the people of Ukraine as Russia began to lose ground in the battlefield as well as support at home. This looks very similar to Russian Not Petya attack by the GRU (the Main Directorate of the General Staff of the Armed Forces of the Russian Federation) when you look under the covers based upon what we know so far.

“If this is in fact a state sponsored cyberattack against a UK national critical industry, then the stakes just got raised significantly and the prospect for the UK government to retaliate in kind just became a lot more probable. However, full and accurate attribution often takes weeks or months to validate, before the UK could respond.

“On the other hand, it could be a simple mistake by an inexperienced affiliate, one most likely not familiar with the code and how to modify it. It might even be a total amateur and not a Lockbit affiliate that simply downloaded the code from the dark net.

“As Putin’s fragile hold on power over the Russian people becomes increasingly desperate, so it becomes ever more likely that he and his supporters will push the boundaries of acceptability against the UK, and other active supporters of Ukraine’s fight for freedom.

“These are certainly interesting times, and we should probably expect the unexpected for the next few months.

“This does also suggest that the UK government is not taking cybersecurity seriously enough. Nor is it ensuring adequate funding for cybersecurity programmes across critical infrastructure to defend against rising cyberattacks. The fact that critical industry sectors keep getting successfully attacked suggests that they are unable to attract and retain the right caliber of security staff, implement robust security processes, or procure and implement the best cybersecurity technologies and tools.

“There is a Maturity Paradox that has emerged over the past five years with the often-frantic development and deployment of new IT systems. This is where Digital Maturity has outpaced Cyber Maturity, leading to Technical Debt. This is the cybersecurity gap that many organisations have yet to properly address. They are playing catch-up but don’t have the resources to do so quickly.”

Who is Lockbit?

“The first attacks by Lockbit date back to September 2019 and its regarded as one of the most active ransomwares today according to Trend Micro. With declining payment of ransoms as organisations are better prepared for ransomware attacks, the group has made a name for itself by ‘double’ and ‘triple ransomware attacks’. It exfiltrates data from a victim and then threatens to publish this data on its web site if the payment is not made. If that doesn’t work, then it will contact the individual victims whose data it stole from the victim company and have them pressure the company or pay directly not to release their personal data. Lockbit has made a name for itself being totally ruthless and without any form of remorse for the damage and harm it causes.

“With the Russia-Ukraine war in February 2022, many of the Russian language RaaS syndicates broke up, partly because some of their members were in fact Ukrainian, who abruptly changed sides and started hacking Russian IT infrastructure including the Kremlin web site. Russian gang leaders were publicly named, and many took their money, wives and girlfriends, and went deep underground. This resulted in a temporary decline on RaaS activity for several months. The Russian conscription drive in mid-2022 caused a massive exodus from the country of military aged men and a further depletion of gang ranks. By the beginning of 2023 it appears that many of the affiliates have gone rogue and are now operating without any oversight or constraint from the Lockbit syndicate.

“However, in September, the Lockbit ransomware builder was stolen and published. Now anyone on the dark web probably has access to it. This includes the Russian FSB – which came out of the former Soviet KGB, and Russian military authorities such as the GRU (the Main Directorate of the General Staff of the Armed Forces of the Russian Federation), which was responsible for the Not-Petya attacks of 2017 – the most destructive and costly global cyberattack to date.

“Why is this important? Because it appears that the attack on the Royal Mail bears many of the hallmarks of the Russian Not Petya attack by the GRU. According to Beeping Computer, the ransom note contains multiple links to the LockBit ransomware operation’s various web and negotiation sites, including a ‘Decryption ID’ required to log in to chat with the threat actors. However, it appears from multiple security researchers that this ‘Decryption ID’ does not work. This would indicate that ‘destruction’ rather than ‘extortion’ was behind this attack which would change the likely perpetrator.