UK firms are being urged to learn the lessons from the Royal Mail International ransomware attack, after leaked details of the negotiations between postal chiefs and ransomware group LockBit reveal the cyber gang were demanding $80m (£65.7m) to free up the data.
In a rare release of its kind, the full transcript of the negotiations offered an insight into the process of negotiating with LockBit, which calculated the ransom to be 0.5% of Royal Mail International’s annual revenue.
The cyber gang maintained this was eight times less than the cost of a regulatory fine from the UK Information Commissioner’s Office. However, Royal Mail International claimed its annual revenue was “800 million” and cited an article from The Times showing how it has been suffering financially.
LockBit rejected this assertion, claiming it generated much more. The transcript revealed LockBit confused Royal Mail International with Royal Mail Group.
Royal Mail International said it took the possibility of paying the sum to its board of directors, but that there was no way it would cough up. “Under no circumstances will we pay you the absurd amount of money you have demanded,” its message read.
“We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us. This is an amount that could never be taken seriously by our board.”
In response, LockBit said any counteroffer Royal Mail could make “would be considered”, but that never came. Its negotiator also expressed how frustrated they were at the company’s stalling tactics.
“You are a very clever negotiator, I appreciate your experiencing in stalling and bamboozling, when you are trying to deceive you need to provide evidence for greater credibility, only a fool would believe in the honest word of a lawyer defending his client,” they said.
LockBit later offered a 12.5% discount to the original ransom sum, taking the total to £57.4m. This offer was made on February 1. Royal Mail International said on February 3 that it took the offer to its board of directors for review, asking LockBit to wait for its response.
Three days later, it reiterated that it was still waiting for a response. That was Royal Mail International’s final message in the transcript.
In response to the leak, David Bicknell, principal analyst in the Thematic Intelligence team at GlobalData, said: “It is rare for the details of ransomware negotiations to find their way into the public domain. Those responsible for company cyber breach plans must learn lessons from them.
“Instead of negotiations being opaque, companies now have an unexpected insight into how ransomware groups’ minds work and how a negotiation might play out. They can also plan for the extent of a ransomware demand.
“LockBit demanded a ransom figure Royal Mail could not countenance paying. No-one will reasonably expect a company board to authorise a ransom payment of $80m, unless the accountants said it was necessary to safeguard the business’s future.
“Boards must understand that ransomware could be a potential wrecking ball to their business. The time to develop an anti-ransomware strategy and enlist the help of cyber experts is before an attack happens.”
Firms suffer as Royal Mail fails to lift block on new post
Royal Mail still crippled as attack enters the fifth day
Hack attack rocks Royal Mail international services
Tech security staffer gets 5 years for ransomware spree
Wakey, wakey: Data breaches cost UK firms £4bn a year
Under siege: Marketers’ favourite password is ‘123456’