Royal Mail Cyberattack on LockBit Ransomware Operation

LockBit ransomware has been implicated in a cyberattack against Royal Mail, the UK’s biggest mail delivery service.

Yesterday’s Royal Mail announcement revealed that they which forced them to suspend international shipping.

Royal Mail has announced that there is severe disruption in international export service due to a cyber attack. This was disclosed by Royal Mail via a .

Royal Mail didn’t provide details about the cyberattack but they stated that they had notified UK law enforcement and regulators.

LockBit encryption was used to encrypt the data

The attack on Royal Mail was first reported by . It is believed to have been a ransomware operation by LockBit or someone using their encryptions.

The Telegraph reported that ransomware attacked encrypted devices for international shipping, and ransom notes were printed on printers for customs dockets.

BleepingComputer can confirm that the ransom notes include Tor sites for LockBit ransomware.

It states that the ransom note was made by LockBit Black Ransomware, which is the name. This ransom note also includes code from the now-defunct BlackMatter ransomware gang.

This note contains links to multiple LockBit ransomware operations’ Tor data leak sites. It also includes negotiation sites. The note even has a Decryption ID that is required for logging in to talk with threat actors.

Multiple security experts have told BleepingComputer that the “Decryption ID”, however, does not work.

The identity of the ransomware gang is not clear if it was deleted after the release of ransom note information or if negotiations were moved to another ID in order to avoid being scrutinized by journalists and researchers.

BleepingComputer reached LockBitSupport to learn more about the ransomware attack. They told us that Royal Mail was not attacked and blamed other threat actors who had used their leaked builder.

Twitter LockBit3.0 ransomware creator in September. Other threat actors were able that used LockBit’s encryption.

LockBitSupp doesn’t explain why Royal Mail ransom notes contained links to LockBit’s Tor negotiation sites and data leak sites, rather than other threat actors’ sites allegedly using this builder.

If LockBitSupp tells the truth, and other threat actors use the leaked builder, it will mean that this attack was probably a destructive attack instead of one for personal gain. There is no way to reach the attackers.