Royal Mail called LockBit’s $80m ransom demand “absurd”


The supposed conversation between Royal Mail and the ransomware gang LockBit offers a glimpse of negotiations between the victim and the criminal.

Ransomware gang LockBit supposedly leaked chat logs of the conversation criminals had with the victim’s representative. Russia-linked LockBit breached the British postal service in early January 2023.

Time stamped messages reveal that the leaked conversation took place between January 12 and February 9. Information on LockBit’s blog, a dark web website where the gang posts its victims, indicated the gang would publish the stolen data on February 14.

ADVERTISEMENT

After the deadline passed, LockBit posted a message saying, “Royal Mail need new negotiator [sic]” and posted the chat logs.

We’ve reached out to Royal Mail to confirm the conversation was genuine, yet we did not receive a reply before going to press.

Wikipedia-based assessments

According to the conversation, it took LockBit almost two weeks to name the ransom amount. Cybercriminals said they want 0.5% of the company’s annual revenue or $80m.

When confronted to provide a basis for the company’s revenue assessment, LockBit sent the negotiator links to Wikipedia articles.

Royal Mail rebutted, pointing out that LockBit is confusing International Distribution Services, Royal Mail Group, and Royal Mail International.

“We are Royal Mail International who is a separate entity, with an entirely independent Managing Director and Senior Official. Our company’s revenue is in decline, as we have tried to explain to you previously and Royal Mail International is the company that is affected by your penetration testing,” the company said.

ADVERTISEMENT

The gang’s negotiator seemed somewhat agitated, blaming Royal Mail for trying to ‘deceive and bamboozle’ the crooks. LockBit’s negotiator proceeded to demand an $80m ransom, alluding that the company’s directors are wealthy enough to pay the hefty sum to the gang.

“Under no circumstances will we pay you the absurd amount of money you have demanded. We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have,” the company responded.

“Under no circumstances will we pay you the absurd amount of money you have demanded.”

Royal Mail.

Negotiation subtilties

The unconfirmed conversation reveals how both sides negotiate. For example, LockBit tried to hasten the ransom payment by repeatedly threatening to publish the data.

“If you continue to stretch time, I will be forced to publish your information on the blog with an offer to change negotiators, thank you for your understanding,” LockBit’s negotiator said in the conversation.

However, Royal Mail pushed back on the gang’s demands several times, saying the company’s negotiator has to run the demands through the board. Royal Mail also asked cybercriminals for proof their decryptor would work.

In a likely attempt to outsmart LockBit, Royal Mail’s negotiator pleaded with the criminals to unlock several large files. The data was supposedly meant to allow the shipping of medical equipment.

“It’s associated with medical devices that can’t yet be shipped out because this file is locked. Please please if you can unlock this too it will help save lives,” Royal Mail’s negotiator said.

However, LockBit thought the company would decrypt files that would allow it to resume operations, rendering the attackers impotent to carry on blackmailing the company. After some consideration, LockBit refused.

ADVERTISEMENT

Russia-linked syndicate

LockBit ransomware syndicate has intimate ties with major cybercrime groups, employs smear campaigns to stay on top, and its leaders use Starlink internet connection to avoid detection.

LockBitSup, the gang’s leading online persona, likely administered by several persons, is active on Russian dark web forums. Researchers believe key people behind LockBit reside in Russia or neighboring countries friendly to Moscow.

According to Jon DiMaggio, Chief Security Strategist and Analyst1, people behind LockBit, Conti, and its successor BlackBasta, DarkSide and its successors BlackMatter and BlackCat/ALPHV frequently interact and even share resources.

Reports show that LockBit and its affiliates accounted for around a third of all ransomware attacks involving organizations being posted to ransomware leak sites.