Royal Mail has supposedly rebuffed an $80m (£66m) ransom demand from the LockBit ransomware gang, saying “under no circumstances” would it pay “the absurd amount of money” demanded.
This is according to what appear to be chat logs leaked by LockBit, published on 14 February, that detail weeks of in-depth negotiations between LockBit and its victim, which was attacked on 10 January.
Over a month later, Royal Mail remains unable to provide a full international postal service, although it has been steadily bringing parts of its operation back online in the interim.
On 28 January, the logs show Royal Mail’s negotiator told LockBit’s representative: “We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board.”
On 1 February, the logs show LockBit’s representative offered a 12.5% discount, which would have dropped the ransom demand to approximately £47.1m. At this point, LockBit’s representative appears to have grown increasingly frustrated with Royal Mail’s negotiator, berating them for taking their time in responding, and asking them why they had “such a long chain of middlemen” and why they could not just talk directly to management. They also told Royal Mail that “journalists are asking me why I haven’t published your information … they really want to see your files”.
The gang sent its final messages between 7 and 9 February, stating that the data was “ready to be published” and the decryptor was “ready to be deleted”, before asking, “Do you have any offer for me?” at which point the conversation cuts off.
A Royal Mail spokesperson declined to confirm the accuracy of the logs. “As there is an ongoing investigation, law enforcement has advised that it would be inappropriate to make any further comment on this incident,” they said.
Lengthy negotiation
The logs appear to show that Royal Mail first made contact with the ransomware gang on 12 January, and was able to obtain proof of some data theft, a process that appears to have been dragged out to 21 January, two days after the postal service was able to implement some technical workarounds that bypassed the encrypted systems and enabled it to resume parts of its operations.
The negotiator told LockBit that some of the files encrypted pertained to the shipment of lifesaving medical equipment, but LockBit refused this request, stating that Royal Mail was making multi-billion dollar profits – this is not true – and was being greedy and trying to get something for nothing.
They also told Royal Mail that the ransom demand was substantially less than the maximum regulatory fines it could face from the UK authorities over a data breach.
“We are all suffering from the global crisis and our income has fallen as much as yours … you are hundreds of times richer than us,” said LockBit’s representative.
Ransomware negotiation
The full log, which has now been obtained and reviewed by Computer Weekly, reads as a fairly standard ransomware negotiation in which the cyber criminal representative presents their extortion racket as something akin to a legitimate business service, such as an organisation might procure from a genuine cyber security company.
The logs also reveal some insight into how ransomware victims are advised to go about conducting a negotiation.
Throughout the process, the supposed Royal Mail negotiator understandably plays for time with a formulaic approach to their answers, advising that they need to communicate various offers to the board, which generally needs a couple of days or a weekend to meet and come to a decision that never seems to arrive.
At times they seem to present themselves as a low-level technical employee who is trying to make their senior leadership understand the scale of the problem.
All of these tactics have a clear effect on proceedings, drawing them out and giving the postal service a fighting chance to mount a more effective response.
Why now?
Tim Mitchell, a security researcher at Secureworks, who as the organisation’s thematic lead for LockBit has been tracking the ransomware cartel for some time, shared some insight into why the group may have chosen to go public.
“When LockBit moves to publish the negotiation conversation it usually happens after the fact, when they have written off any chance of getting paid, to serve as a deterrent to future victims,” he said. “The message being: ‘if you don’t pay, we can publish files and share this data, too’. But such a tactic can also leave the door open for further negotiations.
“Twice now, we’ve seen LockBit issue deadlines for publishing data, and no files have been released other than this negotiation conversation. The chat still suggests they have data – so the questions remain what data do they have and why haven’t they released it? With Royal Mail systems still not up to full operational capacity for international package, what is the ongoing cost to the business?”
Mitchell also noted that the scale of the ransomware demand, one of the highest ever seen, was “vastly unrealistic” on LockBit’s part.