According to the British Post's website, they were unlucky on Friday the 13th: the Royal Mail was the victim of a cyber attack and is currently unable to process international mail. Apparently, an affiliate partner struck with the LockBit ransomware.
The first thing that came to mind at the Royal Mail was the LockBit group, when the machines were encrypted and a ransom note was printed out. However, in this case only the LockBit tools, i.e. the ransomware, were used by an affiliate partner. These partners use LockBit's ransomware and infrastructure and give a high percentage of their loot in return. For LockBit, the ransomware and extortion business is even more rewarding. It is also clear that a cyber gangster affiliate partner has struck at the Royal Mail, because the Royal Mail is not listed as a victim on the LockBit leak page.
Royal Mail informs customers about the cyber attack
The British Post informs its customers about the incident on its website. "ROYAL MAIL INTERNATIONAL EXPORT SERVICES, Royal Mail is experiencing a serious service disruption to our international export services following a cyber incident."
“We are temporarily unable to ship items abroad. To support faster recovery, we are asking customers not to ship international items until further notice. This is to prevent an accumulation of export items in our network. Delays may occur for items that have already been dispatched. We sincerely apologize to the affected customers for the disruption caused by this incident... Our teams are working XNUMX/XNUMX to resolve this disruption and we will update you as soon as we have more information. We immediately launched an investigation into the incident and are working with external experts. We have reported the incident to our regulators and the relevant safety authorities."
What happened?
The Telegraph reports that the ransomware attacked encrypted devices used for international shipping. After that, the ransom note was not displayed but printed on printers normally used for customs documents. The printout with the ransom note states that it was created by "LockBit Black Ransomware". This appears to be a new or affiliate group. The site bleepingcomputer.com believes that the ransomware contains code and functionality from the now-defunct BlackMatter ransomware gang.
The printout also contains several links to Tor data leak sites and LockBit ransomware gang negotiation pages for which a decryption ID is used to log in. The chat should then hide behind it in order to negotiate with the attackers. However, the ID doesn't seem to work. It is therefore unclear whether the gang deleted the ransom note or moved the chat elsewhere.
Editor/sel
More at RoyalMail.com