[ This article was originally published here ]
By Dave Cartwright, CISSP
In February 2023 something very unusual happened. Following a ransomware attack on Royal Mail International, a division of the UK mail and parcel delivery service (formerly state-owned), negotiation between company representatives and the ransomware attackers .
Royal Mail engaged with the UK’s National Crime Agency (NCA) and the National Cyber Security Center (NCSC), and part of the resulting activity was dealing with LockBit representatives, without much success.
The first thing to note is that the chat covers a time period of almost a month, from January 12 to February 9. As can be seen from the transcript, many of the gaps between messages last several hours.
Early in the chat, in the early afternoon of January 12, the Lockbit staffer asks, “Who am I talking to” (the use of the word “who” is surprisingly good English, by the way) and is he replies, “I work on our IT. Our senior management has asked me to contact you.” If that were true, the UK cyber community would be collectively scratching their heads: no one from IT was allowed to interact with a third party this way, and the writer is much more likely to be an NCSC or NCA officer.
The exchange arranges for attackers to decrypt some sample files to prove that decryption is possible (as a ransomware victim, you need some level of conviction that paying a ransom means at least one non-zero change to get your data back). The files provided by LockBit appear to be very benign (PNG images and log files) even though RM tries to strike a chord with LockBit by asking to decrypt the files about medical equipment shipments (“It is associated with medical devices that are still cannot be sent because this file is locked.”) Although Royal Mail doesn’t get what it wants, the files provided seem to show that decryption is possible.
Attackers also know your data protection law, at least to a degree. On January 25th they said: “0.5% of annual global turnover is much less than a 4% fine from your government”. The 4% figure relates, of course, to the penalties that can be incurred under the GDPR: “administrative fines of up to EUR 20,000,000, or in the case of a company, up to 4% of the total annual worldwide turnover of the previous fiscal year, whichever is higher”. Although their argument is incorrect when they say: “As long as we haven’t published any of your files, you can’t be fined”, the fact that they have the data in the first place classifies this as a data protection violation. legislation.
How much does it cost?
The main stumbling block in the conversation revolves around Royal Mail’s revenue and profit. Lockbit is asking for a ransom of 0.5% of Royal Mail’s revenue. According to annual figures, Royal Mail billion in the fiscal year to April 2022, which equates to $15.78 billion at the January 25 exchange rate. On this date, the attackers tell Royal Mail: “$80 million is 0.5% of their revenue”, or in other words, they are saying that revenue is $16 billion in the previous financial year. It is clear, then, that the 2021-22 revenue figure for Royal Mail plc is what LockBit bases its figures on.
Royal Mail presents two arguments in an attempt to persuade LockBit to reduce the ransom. First, they point out that the business is far from prosperous, citing UK newspaper articles, including . This clearly leads to a dead end because the Royal Mail negotiator is telling LockBit plainly: he is basing his claims on last year’s figures, but we are doing much less well this year.
The second argument used by Royal Mail is to point out that the entity that was attacked was not the group as a whole, but the much smaller “Royal Mail International”. On January 27 (15 days after the attack began), Royal Mail tells LockBit: “Trying to explain that we are Royal Mail International, which is a separate entity, with a completely separate managing director and senior officer, and not ‘Royal Mail’ as the global entity. What you attacked is only a small portion and our revenue is not Royal Mail’s.” The RM representative cites an estimated turnover of $800 million for the current year, while LockBit he tries to shoot this down by saying “800 million is his net profit per year”, which is not entirely true (2021-22 profit was £577 million, or $716 million).
Interestingly, in this latest exchange, Royal Mail does not take the opportunity to cite any sources or point to official documents as evidence of the existence of “Royal Mail International” or the facts relating to its finances. Given that LockBit provides the Wikipedia URL of the Royal Mail Group entry as its source of information, it should perhaps be surprising that the Royal Mail representative does not respond with links to clarify information about the “separate entity” it claims to be. And the states very clearly that “international volumes are down significantly compared to the year before the pandemic, down 44%”, which may have helped.
What did we learn?
In many ways, the transcript of the conversations between Royal Mail and LockBit raises as many questions as it answers. The attackers appear to have proven that they actually have the files, and their ransom demand appears to be based on publicly available financial information. For its part, Royal Mail strove to reduce the ransom (which raises the question of whether it really intended to pay the ransom). But one has to wonder why, if they wanted the ransom recalculated based on the lower turnover of the “separate entity” that is Royal Mail International, they did not provide any publicly available evidence of their existence or income.
Now some data has leaked, with the ransom demand dropping to $40 million and a revised deadline. Earlier this month, the ransom had been further reduced, to $33 million, after some of the data was leaked.