More than a month after the postal agency announced the intrusion, the LockBit ransomware as a service organisation uploaded data supposedly belonging to Royal Mail International via its deep website. Moreover, LockBit is still seeking a £33 million ransom, far less than the initial £65 million demand. A 44GB compressed 7-Zip file containing the exposed data was made available for download, and a separate plaintext document with a manifest of its contents was also made public. According to a preliminary study of the documents, several critical files about several company divisions exist.
The thousands of stolen files contained one employee’s HR records, including their initial, second, and third disciplinary warnings and one describing their final dismissal. Other documents mentioned the names of several employees who received overtime payments and their salaries. A few files looked related to contracts with various third parties, and one mentioned “network layout.”
OneDrive of one person, which appears to have been raided by the cyber criminals, included a significant quantity of data. It included pictures, their vaccination records, and several other things.
Does Lockbit have any other data?
IT Pro contacted Royal Mail International to inquire about the validity of the leaked papers, but the organisation declined to provide a direct response. In a statement to IT Pro, Royal Mail said, “Royal Mail is aware that an unauthorised third party has published some data allegedly obtained from our network.” “The cyber incident impacted a system concerned with shipping mail overseas.”
“At this stage of the investigation, we believe that the vast majority of this data is made up of technical program files and administrative business data. All of the evidence suggests that this data contains no financial information or other sensitive customer information. We continue to work closely with law enforcement agencies.”
Royal Mail’s assertions that most of the files are not sensitive seem to be supported by a review of the file tree provided by LockBit. About 200 employees’ personal information was exposed, the corporation acknowledged to the Telegraph, and individuals impacted were notified.
Since that LockBit has already exposed the company’s data, why it continues to seek a ransom is unclear. When asked if LockBit had any other information belonging to the business or if it still needed LockBit’s decryptor to properly restore its systems, Royal Mail chose not to comment. According to the statement to IT Pro, “International export services have been reinstated to all destinations for purchase through our shipping solutions and Post Office branches.” “We are now processing close to normal daily volumes of international export mail with some delays.”
The negotiation history was made public on 14th January
The negotiating history with Royal Mail and thousands of allegedly stolen data were made public by LockBit. Royal Mail said that it had reached a stage where it functions at almost average levels for everyday traffic. It is unclear why a ransom demand is still being made since, in most situations, this would be the only power a cybercriminal gang would have over a victim. The whole history of the negotiations between LockBit and Royal Mail International was made public on February 14th, providing a unique look into the negotiating strategies of the largest ransomware operation in the world.
It came after more than a month of discussions, most likely managed and planned by the National Crime Agency and National Cyber Security Centre of the UK (NCA).
