A cyberattack on Royal Mail, UK’s largest mail supply service, has been linked to the LockBit ransomware operation.
Yesterday, the Royal Mail disclosed that they suffered a cyber incident that pressured them to halt worldwide delivery providers.
“Royal Mail is experiencing extreme service disruption to our worldwide export providers following a cyber incident,” disclosed Royal Mail in a service update.
Whereas Royal Mail didn’t present any particulars on the cyberattack, they mentioned they had been working with exterior cybersecurity specialists and have notified UK regulators and legislation enforcement.
LockBit ransomware encryptor used within the assault
As first reported by The Telegraph, the assault on Royal Mail is now confirmed to be a ransomware assault by the LockBit operation, or a minimum of somebody utilizing their encryptors.
The Telegraph reviews that the ransomware assault encrypted units used for worldwide delivery and triggered ransom notes to be printed on printers used for customs dockets.
BleepingComputer has seen an unredacted model of the printed ransom notes and may affirm that they embrace the Tor web sites for the LockBit ransomware operation.
The ransom notice states it was created by “LockBit Black Ransomware,” which is the operation’s latest encryptor title because it contains code and options from the now-shut down BlackMatter ransomware gang.
The notice additionally accommodates a number of hyperlinks to the LockBit ransomware operation’s Tor information leak websites and negotiation websites, together with a ‘Decryption ID’ required to log in to speak with the risk actors.
Nonetheless, BleepingComputer has been advised by a number of safety researchers that this “Decryption ID” doesn’t work.
It’s unclear if the ransomware gang deleted the ID after information of the circulating ransom notes or in the event that they moved negotiations to a brand new ID to keep away from scrutiny by researchers and journalists.
BleepingComputer reached out to LockBitSupport, the public-facing consultant of the ransomware operation, and was advised that they didn’t assault Royal Mail they usually blamed it on different risk actors utilizing their leaked builder.
In September, the LockBit 3.0 ransomware builder was leaked on Twitter. This allowed different risk actors to launch ransomware operations based mostly on the LockBit’s encryptor.
LockBitSupp’s clarification doesn’t clarify why Royal Mail’s ransom notes included hyperlinks to LockBit’s Tor negotiation and information leak websites quite than the opposite risk actor’s websites who’re allegedly utilizing the builder.
Nonetheless, if LockBitSupp is telling the reality and different risk actors used the leaked builder within the assault, then it will imply this was possible a harmful assault quite than one for private acquire, as there isn’t any solution to contact the precise attackers.