Royal Mail hit by ransomware attack by prolific hacker gang

Royal Mail has suffered a ransomware attack by a criminal group threatening to publish or block access to its data unless they receive a payment.

A document seen by the Financial Times claimed that prolific hacker group LockBit had stolen and encrypted data from the UK postal service and was demanding a ransom payment.

The attack has caused serious disruption at Royal Mail, leaving it unable to send parcels and letters overseas.

The company disclosed on Wednesday that it had been hit by a “cyber incident” and warned of “severe disruption”.

It has declined to comment on any details of the incident or whether hackers were involved.

LockBit, which is widely believed to be based in Russia, is one of the world’s most prolific ransomware operators, targeting hundreds of organisations since it first emerged around three years ago.

Brett Callow, threat analyst at cyber security company, Emsisoft, said the gang’s demands were based on each victim’s ability to pay and could range from tens of thousands of dollars to multiple millions. He said it was unlikely Royal Mail’s ransom would be less than $1mn.

The attack on Royal Mail is the latest of its kind to hit a big company and has deepened fears of the growing risk posed by cyber threats. Last month, Mario Greco, the chief executive of Zurich, one of Europe’s biggest insurance companies, warned that cyber attacks would become “uninsurable” as the disruption from hacks continues to grow.

It is not yet clear what data from Royal Mail has been compromised and how long services will be affected. The operator has advised customers not to post items abroad.

The National Cyber Security Centre, which advises UK companies on combating cyber crime, said on Wednesday it was working with the National Crime Agency to understand the impact. Royal Mail has also notified the UK Information Commissioner, as it is required to do under data protection law.

The incident has increased pressure on UK postal services, which had already been disrupted by 18 days of strike action by Royal Mail workers over the past five months.

Royal Mail wants to make changes including greater digitisation and automation as it looks to stem the loss of market share to rivals, but is locked in a dispute with postal staff over modernisation plans and pay.

Royal Mail’s management and the Communication Workers’ Union, which have failed to reach an agreement, re-entered negotiations this week through Acas, the conciliation service. On Wednesday, the CWU, which represents about 115,000 postal workers, confirmed plans for a fresh ballot on strike action, with results to be declared on February 16.

Ransomware attacks typically work by stealing log-in credentials by tricking an employee, then using the illicit access to encrypt its data, effectively locking the company out of its own systems. If the company does not pay the ransom within a set timeline, the data are then leaked on the dark web. Callow said more than 500 victims who opted not to pay had been listed on LockBit’s website.

On its homepage on the “dark web”, LockBit’s creators say they are “completely apolitical and only interested in money”. The hackers offer their technology for others to use in return for a 20 per cent share of any ransom paid. While the gang claims to be based in the Netherlands, it prohibits the ransomware’s use against countries in the former Soviet Union.