(Bloomberg) -- Prolific criminal hackers were behind a cyberattack on the UK’s Royal Mail that has shut down its ability to send international letters and parcels, according to two people familiar with the matter.
A ransomware gang known as LockBit targeted the British business and used encryption to lock some of its computers, rendering them inoperable, according to the people who asked not to be identified because the matter isn’t public. The gang usually demands payment to unlock computers it has compromised and often threatens to leak stolen data to pressure victims to pay. It’s not known how much money the group has demanded from Royal Mail or whether the company intends to pay.
Royal Mail declined to comment. A representative for LockBit didn’t respond to a message seeking comment.
The company, part of International Distributions Services Plc, said in a statement on Wednesday that it was experiencing a “cyber incident” that was causing severe disruption to international export services.
“We are temporarily unable to dispatch items to overseas destinations. We strongly recommend that you temporarily hold any export mail items while we work to resolve the issue,” the company said in the statement. “We immediately launched an investigation into the incident and we are working with external experts. We have reported the incident to our regulators and the relevant security authorities.”
The UK’s National Cyber Security Centre said it was aware of an incident affecting Royal Mail Group Ltd. and was working with the company, alongside the National Crime Agency, to fully understand the impact.
The hackers compromised systems at Royal Mail that created dispatch notes for mail being exported out of the UK, according to one of the people. The malicious software has been contained within those systems, the person added.
A note left by the hackers on some compromised Royal Mail computers directed the company to a LockBit website on the darkweb to begin a negotiation over payment. The note, reviewed by Bloomberg News, warned Royal Mail that if it didn’t pay the ransom the company’s data would be published online.
Mike Godfrey, chief executive officer of London-based cybersecurity firm Insinia Security, said the attackers’ intention would be to put as much pressure on the company as possible to extort a payment. He said disrupting a valuable supply chain put Royal Mail in an uncomfortable position. “Do they pay the ransom or do they spend ten times the amount of time and money recovering?” he said.
According to cybersecurity firm Kaspersky, attacks linked to LockBit began in September 2019 and the gang’s victims have spanned organizations across Europe and the US, as well as China, India, Indonesia and Ukraine. The gang operates under a model known as “ransomware for a service,” leasing its malicious software and infrastructure to hackers in return for a percentage of their proceeds.
It’s not known how many people are involved with the gang or where they are based. LockBit’s website says it won’t attack post-Soviet Union countries because most of its developers and partners were born and grew up there. The gang now claims to be located in the Netherlands. In November, authorities arrested an alleged Russia-born LockBit hacker named Mikhail Vasiliev. But that arrest didn’t disrupt the gang’s operations; its website lists dozens of attacks it says it has carried out since.
