Royal Mail is experiencing severe disruption to its overseas delivery service due to a ransomware that is connected to criminals based in Russia. The malicious attack has impacted the computer systems that Royal Mail employs to despatch post and packages abroad.

Royal Mail has warned its customers of the disruption caused by a cyber incident, along with the advice to avoid sending international parcels and letters until the problem is fully resolved.

Analysis of the mail carrier attack

An individual close to the investigation has confirmed that Lockbit ransomware was used in the cyberattack against Royal Mail. IT security firms commented that the malicious software is both engineered and employed by criminal gangs that have links with Russia. A ransom note viewed by the BBC that was sent by the threat operators behind the attack read:

“Your data are stolen and encrypted.”

The incoming ransom demand is expected to be in the realm of millions, However, those involved in the investigation have added that “workarounds” exist to get Royal Mail’s system operational again.

A critical threat to UK enconomy

The threat of ransomware attacks against organisations across the world is constant with attacks launched on an almost daily basis. However, the incident at Royal Mail is especially significant as the mail carrier is categorised as “critical national infrastructure”. This means that Royal Mail it is a critical component of the UK’s economy.

The attack on Royal Mail is not only affecting a single company and the customers it serves, but the businesses and communications of British citizens both abroad and at home.
Typical tactics of these attacks involve ransomware gangs ramping up pressure on victims to transfer funds in the form of cryptocurrency like Bitcoin into an anonymous digital wallet. Crypto is notoriously difficult both to trace and to retrieve after it has been transferred.

Ransomware operators usually issue a deadline or ultimatum, so it is likely they are already threatening Royal Mail with the possibility of having private or sensitive data disclosed and given them a time limit to pay by.

While LockBit is believed to have strong roots in Russian roots, the hacking outfit who performed the Royal Mail ransomware attack could be located anywhere around the world. Back in November last year, a Russian-Canadian national who allegedly performed a LockBit hack from their home in Canada was arrested.

A spokesman for Royal Mail has issued repeated customer warnings that there is no end to the delivery disruptions in sight. At present, the company still cannot send parcels or letters abroad but has stated that it remains “working hard” to resolve the issue. Furthermore, there are also some minor delays for post arriving in the UK, although domestic mail services are not impacted. It added that some Royal Mail customers who posted packages and letters overseas prior to the event may also experience a delay.

The National Crime Agency has announced that it is aware of the incident affecting Royal Mail and is now working with the National Cyber Security Centre (NCSC), part of Britain’s cyber-intelligence agency GCHQ, to assess its impact.