LockBit demanded £66mn from Royal Mail

Negotiation logs call the amount 'absurd'

LockBit demanded £66mn from Royal Mail

A log of conversations between the LockBit ransomware group and a Royal Mail negotiator show the group demanded £65.7 million to safely return the organisation's stolen data - and now LockBit is threatening to leak it.

Royal Mail, one of the world's largest post and parcel companies, was hit with a cyber incident in January that forced it to suspend international shipping operations.

The attack was eventually attributed to the LockBit group, a Russia-linked ransomware gang that has previously hit financial firm ION, Microsoft Exchange servers and an entire town in Canada - and that's just in the last six months.

LockBit has now released a log of conversations between its own representatives and a negotiator, which included discussions of company revenues and business challenges. The talks stalled after three weeks, when LockBit demanded a new negotiator.

LockBit implied that the £65.7 million figure was 0.5% of Royal Mail International's revenue, and highlighted that it was less than the cost of a regulatory fine in the UK. In response, the negotiator said RMI's annual revenue was closer to £800 million and cited an article from The Times as proof.

Lockbit appears to have confused Royal Mail International, a small subsidiary, with the larger Royal Mail organisation, confirmed when its representative sent a Wikipedia link to Royal Mail's page.

"All we have had is losses," the negotiator said, according to the leaked chats seen by ITPro.

Later they told LockBit, "Under no circumstances will we pay you the absurd amount of money you have demanded.

"We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board."

In response LockBit accused the company of "stalling."

Royal Mail International's last message was on 6th February. The final message came on 9th February, when LockBit requested a follow-up to an offered discount in the ransom - taking it to £57.4 million.

LockBit was initially due to release its stolen data on 9th February, which passed with no change. A later deadline of 14th February then appeared on its ransom website. That date also passed with no sign of the stolen information.

Instead, the countdown timer on the group's website reset and a message appeared saying "Royal Mail need new negotiator" [sic].

Confirmation of the chat is difficult, as ransomware groups will often doctor the logs they release for their own purposes. Royal Mail has not responded to the release of logs other than to decline to comment.