Skip to main contentSkip to navigationSkip to navigation
Royal Mail worker pushing trolley in sorting office
A Royal Mail sorting office. The ransom note was from LockBit, which is thought to have links to Russia. Photograph: Bloomberg/Getty Images
A Royal Mail sorting office. The ransom note was from LockBit, which is thought to have links to Russia. Photograph: Bloomberg/Getty Images

Royal Mail ransomware attackers threaten to publish stolen data

This article is more than 1 year old

Postal service has been unable to send letters and parcels overseas since Wednesday due to hacking

Royal Mail has been hit by a ransomware attack by a criminal group, which has threatened to publish the stolen information online.

The postal service has received a ransom note purporting to be from LockBit, a hacker group widely thought to have close links to Russia.

Royal Mail revealed that it had been hit by a “cyber incident” on Wednesday, and said it was unable to send parcels or letters abroad. The company asked customers to refrain from submitting new items for international delivery, although domestic services and imports were unaffected.

Ransomware attackers exploit gaps in organisations’ security to install their own software and encrypt files so they are unusable. They then ask for a ransom, often in cryptocurrency, which can be harder to trace because it is not reliant on the banking system.

Printers at a Royal Mail distribution site near Belfast in Northern Ireland started printing ransom notes, according to the Telegraph. The note said: “Lockbit Black Ransomware. Your data are stolen and encrypted.”

Online security researchers posted photographs purporting to show the ransom note on social media.

Royal Mail has reported the incident to the UK’s government-run National Cyber Security Centre, the National Crime Agency and the Information Commissioner’s Office. It has not publicly revealed any details regarding the nature of the incident.

Organisations that have been hit by ransomware range from the National Health Service to businesses of almost every size. The Guardian was hit by a ransomware attack last month.

Andrew Brandt, a principal researcher at Sophos, a cyber security company, said the Lockbit ransomware software is thought to have been developed by criminals mainly from Russia and other former Soviet republics. It gives criminal affiliates access to the software in exchange for a cut of any ransoms.

Ransom demands against organisations listed on a publicly available website ranged from around $200,000 (£165,000) to almost $1.5m, Brandt said.

“Something Royal Mail is going to have to consider is whether or not they are going to pay a ransom,” Brandt said. “I’m a bit of a purist and [say] they should never pay these people anything.”

skip past newsletter promotion

However, it can be a “delicate balance” for organisations depending on the severity of the attack and what data has been taken, he said.

Royal Mail has not indicated when it expects to be able to resume international deliveries. The company has already been heavily affected by workers’ recent strike action, and a new ballot is planned this month to approve further industrial action in the dispute over pay and changes to working conditions.

Smaller exporting companies are thought to be the most affected by the delays. Tina McKenzie, policy chair of the Federation of Small Businesses, said companies had already been through “a tumultuous Christmas period after postal strikes, and this latest cyber incident is the last thing they need”.

It is “an already challenging time” for smaller exporters, she said. “In the context of global supply chain disruption, rising shipping costs and more paperwork, this creates a very worrying picture.”

Royal Mail declined to comment further.

More on this story

More on this story

  • Today in Focus
    How an infamous ransomware gang found itself hacked

  • Russia-based LockBit ransomware hackers attempt comeback

  • Cost of first-class stamp to rise again to £1.35, says Royal Mail

  • Huge cybersecurity leak lifts lid on world of China’s hackers for hire

  • Ofcom’s ‘snail mail’ plan isn’t the solution that Royal Mail needs

  • Seized ransomware network LockBit rewired to expose hackers to world

  • Prolific cybercrime gang disrupted by joint UK, US and EU operation

  • ‘Elevated’ risk of hackers targeting UK drinking water, says credit agency

  • Royal Mail could save £650m by moving to three-day-a-week service, says Ofcom

  • Royal Mail’s Saturday letter service should stay, says Downing Street

Most viewed

Most viewed