In a sign that a private cyberwar between ransomware groups and target organizations is escalating, LockBit has released the data it stole from Royal Mail, along with private chats between the two, after the UK postal service refused to cave in to its demands for payment.
“The LockBit group has finally given up any prospect of extracting a ransom from Royal Mail and published the files it stole from the company in a recent ransomware attack,” said cybersecurity firm MalwareBytes. “The leak brings weeks of negotiations to a close, leaving Royal Mail without a decryptor, and LockBit without a payday.”
Royal Mail partially suspended operations after a breach was disclosed in November. Since then it has emerged that LockBit – widely regarded as the most prolific digital extortion group of its kind in the world – was responsible, and that the British postal service would not pay out on the $80 million ransom demand.
Now LockBit has made good on its threats, releasing not only files belonging to its target but private chats between the two. And the dialog, begun around the beginning of December, reveals a far steelier opposition to extortion than LockBit might have been expecting.
War of words
“Alongside the leaked files, the LockBit gang have released a chat history that shows the negotiations between the two parties,” said MalwareBytes. “Perhaps the group is trying to justify its decision to call off the negotiation and leak the stolen files, or perhaps it's a warning to other victims.”
The cyber analyst said it believes that Royal Mail even hired a professional negotiator to deal with the ransomware gang, suggesting that organizations are upping their game in anticipation of the growing threat from hacker extortionists.
“Perhaps they’re just naturally good negotiators, or perhaps they listened to our recent podcast about ransomware negotiations, but there is every chance they were actually a professional ransomware negotiator,” said MalwareBytes.
It cited the Royal Mail negotiator as telling LockBit, “my management have heard that your decryptor might not work on large files.”
This, it suggested, may have amounted to a clever psychological tactic designed to turn the tables on the crooks and by putting them on the backfoot and having them answer the questions. A cornerstone of ransomware attacks is to encrypt a victim’s files to put them beyond use, before dangling the key to unencrypt them – in return for a hefty fee.
“Whether Royal Mail's curiosity about large file decryption was genuine or a ruse, it created a role reversal in the conversation, with Royal Mail asking the questions and LockBit providing the answers, to prove that it can meet Royal Mail's needs,” said MalwareBytes.
If this is so, LockBit’s decision to expose the files might seem a curious one – unless the gang believes that in so doing it can forearm and forewarn other ransomware groups of the stiff resistance future cyberattacks can expect to be met with.
Let’s talk cold hard cash…
When the online chat arrived at the subject of money, things became even thornier, with Royal Mail questioning LockBit’s assessment of what constituted a fair ransom demand.
“When the conversation finally turned to money, it quickly found more weeds,” said MalwareBytes. “LockBit asked for a ransom of $80 million, 0.5 percent of Royal Mail’s annual global turnover.”
At this point the Royal Mail negotiator retorted that, by LockBit's own calculation, a good “starting figure” would be $4 million, based on Royal Mail International's finances.
“LockBit thought it was talking to Royal Mail,” said MalwareBytes. “The victim told them they’re Royal Mail International, a loss-making subsidiary of Royal Mail with a vastly smaller turnover.”
The Russian-linked threat group finally showed its exasperation, saying: “You are a very clever negotiator. I appreciate your experience in stalling and bamboozling [...] only a fool would believe the honest word of a lawyer defending his client.”
Things finally came to a head on February 6, when Royal Mail essentially told the criminal group that it did not believe paying any ransom could reverse the damage already done.
"To be honest with you, I have heard that they [the board] might not want to pay you for this," said the negotiator. "In our perspective, the files got leaked when you took them from our system, and paying you won’t undo that in any way."
Whatever the long-term consequences of this decision are for the UK mail service, MalwareBytes appear to have been quite impressed by its choice of counter-tactics.
“You can only ever play the hand you're dealt, and we think given the hand they were playing, Royal Mail's negotiation came as close to a win as a loss like this ever does,” it said.
More from Cybernews:
Subscribe to our newsletter