As the UK’s Royal Mail grappled with the fallout of a ransomware attack, a purported member of the LockBit hacking group stepped forward on the weekend to take credit for the mayhem.
LockBit has been busy: in just the past month, it has claimed to have compromised 40 organisations, from a private school in Malaysia to a dental group in Sydney, helping it take the mantle of the most prolific ransomware gang in the world.
The group had already hit the City of London, ensnaring Kingfisher Insurance in October 2022. But Royal Mail, part of a £2.2bn delivery business, was its biggest target so far: a crucial part of the UK’s critical infrastructure that was suddenly left unable to send mail outside the British Isles.
The spotlight — both from rival hacking gangs and UK authorities — was finally on LockBit.
“Guys, you can calm down,” said the anonymous post, as it revealed that a LockBit affiliate was behind the attack, made in a private forum and shared with the Financial Times by a security researcher.
The hack, the post said, was carried out by an elite, top ten member of the sprawling LockBit gang, someone who specialised in the important jobs of decrypting and then deleting the stolen data after collecting the ransom.
Royal Mail has yet to officially confirm that LockBit breached its cyber defences, encrypted its data and is now holding it ransom. The company declined to comment on whether it was negotiating with hackers, or how long it expects the disruption to last.
During a parliamentary hearing on Tuesday, Royal Mail chief executive Simon Thompson told MPs he had been informed “that to discuss any fine details . . . would actually be detrimental”.
The week-long disruption to international deliveries comes after 18 days of strikes over the past five months, adding pressure to Royal Mail to resolve the situation. But it is facing off against an evolved version of the ransomware threat — security researchers describe LockBit as the most professional, sleekly efficient gang in the world.
In the past year, the “founding fathers” of the group have taken advantage of the break-up of a rival to corner market share, released new versions of their malware (LockBit 3.0) that automate the most basic tasks, held marketing promotions ($1,000 for a tattoo with the group’s name), and given their targets frank advice on how to defend themselves (spend 10 per cent of budget on cyber security, patch your computers and hire an outsider to test for weaknesses).
The group’s polished efficiency has caused havoc across the globe, with LockBit accounting for just over a quarter of all known ransomware attacks in 2022, according to the Israeli security firm CyberInt.
That is a harbinger of worse to come — now deeply entrenched in the ransomware business, the group is poised to become more ubiquitous.
It has largely replaced the now disbanded Russian Conti hackers who raked in about $3bn in their 2020-2021 heydays, according to CyberInt estimates, before being betrayed by a Ukrainian insider who fell out with the group’s pro-Russian politics.
“LockBit manages themselves way better than a lot of legitimate companies — they are professional, they take care of their PR, they focus on their product, their business, they keep away from politics,” said Shmuel Gihon, a security researcher at CyberInt who has followed the group closely.
“They are presenting themselves as an organisation that can’t be ignored — at this scale, they will be everywhere, and there’s not much that can be done about it.”
The group works on a “Ransomware As a Service” model, renting out its malware and providing technical support to far-flung “affiliates” who do the time-consuming task of penetrating a target’s networks and planting the LockBit malware.
Around that time, senior members of the group step in, taking over the more complex tasks of infiltrating more secure areas of the target’s network, identifying the most crucial files to encrypt and then coach, and even run, the ransomware negotiations.
In the end, they take a commission, often as much as 20 per cent.
LockBit, like many other ransomware groups, is believed to be located in Russia and in neighbouring countries where authorities are unlikely to investigate, let alone extradite, the vital members of these groups.
In November, US authorities charged a Russian and Canadian dual-national as an affiliate of LockBit, citing his presence on a private forum that provided technical and ransom negotiations advice, and his possession of a fraction of a bitcoin that was part of a ransom paid a few hours earlier. He is the only person known to have been arrested or indicted for their alleged work with LockBit.
At the time, the FBI estimated that LockBit had made more than $100mn in ransom demands, which security researchers say is likely an undercount — successful ransomware attacks are rarely made public, a fact that LockBit promotes as part of its allure, allowing corporations to avoid the embarrassment and scrutiny of having been hacked.
Unless Royal Mail pays the ransom, which is a legally dubious route, weeks, if not months of disruption lie ahead, said Hanah Darley, head of threat research at Darktrace.
In situations like this, recovering from the attack takes in “the best-case scenario, days or weeks, and in the worst case, weeks and months”, she said. “It’s like a ripple effect — you see subsequent impacts that you will discover over time.”
Royal Mail’s chief executive, Simon Thompson, told parliament on Tuesday it is exploring “workarounds” to restore services, with UK residents and companies still unable to send letters or packages abroad.
For critical infrastructure such as the Royal Mail, the hacking recovery process is gruelling, said Darley: “You can’t really go offline and fix what you need to fix — you have to still maintain critical operations.”