Royal Mail, one of the United Kingdom's largest postal service providers, recently made headlines for its refusal to pay a ransom demanded by the notorious Russian-linked Lockbit cyber gang. The criminal group targeted the company's IT systems with ransomware and demanded a payment of $80 million, a number the gang thought to be 0.5% of the organization's annual revenue, to return control of the affected systems.
Royal Mail refused to comply with the demand, stating that the cybercriminals had confused the company with its parent organization, Royal Mail International, and that the requested ransom would be impossible to pay. Instead, the company notified the authorities and sought help from its cybersecurity partners to mitigate the attack.
The negotiation logs between the two parties were published online, shedding light on the tactics used by both sides. The logs revealed that the cybercriminals tried to pressure Royal Mail into paying the ransom by threatening to release the stolen data, while Royal Mail remained firm in its refusal to pay and called out the Lockbit gang for its mistake in targeting the wrong company. A Royal Mail negotiator said in the logs:
"We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board."
The decision by Royal Mail not to pay the ransom has been commended by cybersecurity experts and government officials. While paying a ransom may seem like the simplest solution in such difficult situations, it only fuels the growth of ransomware attacks and incentivizes cybercriminals to target other organizations. There is also no guarantee that paying a ransom will result in the return of the stolen data or the restoration of access to the affected systems.
Darren Guccione, CEO and Co-Founder at Keeper Security, discussed with SecureWorld News:
"While the Lockbit cybercriminals likely published their negotiation logs with Royal Mail as a tactic to publicly pressure the postal service into paying its ransom, this disclosure provides a clear example of how reliant threat actors are on companies caving to their demands.
When struck with a ransomware attack, organizations are faced with a seemingly impossible decision to either pay a criminal organization or lose their data.
Royal Mail took a unique stance by pointing out that Lockbit has confused them with their parent company and the requested ransom would be impossible for them to pay. While Lockbit still controls Royal Mail's data, Royal Mail's refusal to pay the current ransom and the passage of time has taken power away from the Lockbit threat actors who are being forced into making the next move, potentially against their own interests."
Guccione also said this highlights the need for individuals and organizations to invest in cybersecurity solutions and invest in "zero-trust and zero-knowledge cybersecurity solutions." The vast majority of successful ransomware attacks result from weak or stolen passwords, credentials, and secrets. It is crucial to implement strong access controls, multi-factor authentication, and data encryption to prevent such attacks.
While proper cybersecurity solutions can have a positive impact, Mike Parkin, Senior Technical Engineer at Vulcan Cyber, said he wants to see more drastic changes to combat the risk these cyber gangs pose to organizations:
"Cybersecurity professionals can lessen the risk from attacks like this, but it will take the cooperation of the international law enforcement community to reduce the higher-level threat. The fact that these cybercriminal gangs operate using business models borrowed from the legitimate business world shows how sophisticated they've become. The challenge for law enforcement is dealing with gangs that are sponsored at the state level by nations that have no interest in cooperating with the rest of the world."
Subscribe to SecureWorld News for more stories related to cybersecurity.