LockBit deadline passes, no Royal Mail data appears

Group is still trying to monetise the attack

Royal Mail data stolen in a cyberattack last month, claimed by the LockBit ransomware gang, has not been made public despite the gang's payment deadline passing.

The attack, which occurred in January, forced Royal Mail, one of the biggest post and parcel companies in the world, to halt international shipping operations.

It was initially unclear whether LockBit was directly responsible. Conflicting reports claimed LockBit had attacked Royal Mail directly, and others blamed a third part using LockBit's encryptors.

The ransom note, printed by Royal Mail's printers, referenced "LockBit Black Ransomware" and threatened to leak stolen data on a LockBit-run dark web site.

Responding to those reports, LockBit's public-facing representative denied that the group had targeted Royal Mail, and that some other threat actor had likely used its leaked builder in the attack.

However, the gang finally took responsibility last week. It threatened to release all the data it had stolen on 9th February if the ransom was not paid.

As is common with such listings, the group claimed, "all available data will be published," without providing any specific details about what information it had stolen.

According to Reuters, Royal Mail said the majority of the data comprised technical programme files and administrative business data.

"All of the evidence suggests that this data contains no financial information or other sensitive customer information," Royal Mail said.

The February deadline has now passed, but the stolen documents have still not been seen online.

In a tweet, Brett Callow, a threat analyst at Emsisoft, suggested the move was probably a form of harassment aimed at maintaining pressure on Royal Mail.

"Bottom line: LockBit will not release data until they have given up on being able to monetise the attack," Callow said.

The LockBit ransomware has been seen around the world, with organisations in the United States, India, and Brazil among its frequent targets.

Trend Micro refers to LockBit as "one of the most professional organised criminal gangs in the criminal underground."

LockBit is thought to be run primarily out of Russia.

The group has demanded tens of millions of pounds in ransom in the past. Over the last several years, it is estimated to have extracted a total of around £82 million from its victims.

As of 13th February, Royal Mail has announced that its international services are again available for purchase online and through shipping solutions to all destinations, except for a small number of International Untracked services for Business Contract customers.

However, there are still some delays and issues. "At this time, we are unable to process new Royal Mail parcels and large letters requiring a customs declaration purchased through Post Office branches," the company added.

"We are working hard to resume more services through Post Office branches and will provide further updates on these as soon as possible. Import operations continue to perform a full service with some minor delays. Domestic services remain unaffected.

"We would like to apologise to impacted customers for the disruption this incident is causing."