How the Royal Mail hacker became the world’s most prolific ransomware group

As the UK’s Royal Mail grappled with the fallout of a ransomware attack, an alleged member of the LockBit hacking group came forward over the weekend to take credit for the chaos.

LockBit has been busy: in the past month, it claimed to have compromised 40 organizations, from a private school in Malaysia to a dental group in Sydney, helping it take over the world’s most prolific ransomware gang.

The group had previously hit the City of London, ensnaring Kingfisher Insurance in October 2022. But Royal Mail, part of a £2.2billion delivery business, was its biggest target so far : a crucial part of the UK’s critical infrastructure that was suddenly left unable to send mail outside the British Isles.

The spotlight – from both rival hacking gangs and UK authorities – was finally on LockBit.

“Guys, you can calm down,” the anonymous post said, as it revealed that a LockBit affiliate was behind the attack, made in a private forum and shared with the Financial Times by a security researcher.

The hack, according to the message, was carried out by an elite, top ten member of the sprawling LockBit gang, someone who specialized in the important tasks of decrypting and then deleting stolen data after collecting the ransom.

Royal Mail has yet to officially confirm that LockBit breached its cyber defenses, encrypted its data and is now holding it for ransom. The company declined to say whether it was negotiating with hackers or how long it expects the disruption to last.

At a parliamentary hearing on Tuesday, Royal Mail chief executive Simon Thompson told MPs he had been told “that to discuss all the details . . . would in fact be detrimental”.

The week-long disruption to international deliveries comes after 18 days of strikes over the past five months, adding pressure to Royal Mail to resolve the situation. But it faces an evolved version of the ransomware threat – security researchers describe LockBit as the most professional and efficient gang in the world.

A LockBit tattoo on a person's arm
LockBit offered to pay $1,000 to people who get band name tattoos © Cyberint

Last year, the group’s “founding fathers” took advantage of the breakup of a rival to grab market share, released new versions of their malware (LockBit 3.0) that automate the most basic tasks , ran marketing promotions ($1,000 for a tattoo with the band’s name), and gave their targets candid advice on how to defend themselves (spend 10% of the budget on cybersecurity, patch your computers, and hire a stranger to test weaknesses).

The group’s polished efficiency has wreaked havoc around the world, with LockBit accounting for just over a quarter of all known ransomware attacks in 2022, according to Israeli security firm CyberInt.

You see a snapshot of an interactive chart. This is probably because you are offline or JavaScript is disabled in your browser.


It’s a harbinger of the worst to come – now deeply entrenched in the ransomware industry, the group is on the verge of becoming more ubiquitous.

It largely replaced now-disbanded Russian hackers Conti, which raked in around $3 billion at its peak in 2020-21, according to CyberInt estimates, before being betrayed by a Ukrainian insider who fell out with the the group’s pro-Russian policy.

“LockBit runs a lot better than a lot of legit companies – they’re professional, they take care of their PR, they focus on their product, their business, they stay away from politics,” said Shmuel Gihon, a security researcher at CyberInt who has followed the group closely.

“They present themselves as an organization that can’t be ignored – at this scale they’ll be everywhere, and there’s not much you can do about it.”

The group works on a “Ransomware-as-a-service” model, renting out its malware and providing technical support to remote “affiliates” who perform the tedious task of penetrating a target’s networks and planting the LockBit malware. .

Around this time, senior members of the group step in, taking on the more complex tasks of infiltrating more secure areas of the target’s network, identifying the most crucial files to encrypt, and then framing, or even executing, the ransomware negotiations.

In the end, they take a commission, often up to 20%.

LockBit, like many other ransomware groups, is believed to be located in Russia and neighboring countries where authorities are unlikely to investigate, let alone extradite, vital members of these groups.

Simon Thompson, Managing Director of Royal Mail
Simon Thompson, Chief Executive of Royal Mail, addresses Parliament © Parliament TV

In November, U.S. authorities accused a dual Russian and Canadian national of being affiliated with LockBit, citing his presence on a private forum that provided ransom and technical advice, and his possession of a fraction of bitcoin that was part of of a paid ransom. a few hours earlier. He is the only known person to have been arrested or charged for his alleged work with LockBit.

At the time, the FBI estimated that LockBit demanded over $100 million in ransom demands, which security researchers say is likely an undercount – successful ransomware attacks are rarely made public, a fact that LockBit promotes as part of its appeal, allowing businesses to avoid the embarrassment and scrutiny of having been hacked.

Unless Royal Mail pays the ransom, which is a legally dubious route, weeks if not months of disruption lie ahead, said Hanah Darley, head of threat research at Darktrace.

In situations like this, recovering from the attack takes “at best, days or weeks, and at worst, weeks and months,” she said. “It’s like a ripple effect – you see the subsequent impacts that you will discover over time.”

Royal Mail chief executive Simon Thompson told parliament on Tuesday that he was exploring ‘workarounds’ to restore services, with UK residents and businesses still unable to send letters or messages. packages abroad.

For critical infrastructure such as Royal Mail, the process of recovering from hacking is grueling, Darley said: “You can’t really go offline and fix what you need to fix – you still need to maintain critical operations.”

Leave a Reply