Royal Mail still crippled as attack enters the fifth day

Royal Mail appears no closer to getting its systems operational again, so that it can restart to send items overseas as the ransomware attack, launched by Russian group Lockbit, enters its fifth day.

The postal giant, which reportedly has a team of more 100 cyber experts and engineers working on the issue, has tried to play down the severity of the incident, claiming it is “temporarily unable to despatch items to overseas destinations”.

However, in a statement on its international services website the firm added: “In order to prevent a build-up of export items in our network and support a faster recovery when we restore service, Royal Mail is continuing to ask customers not to post international export items until further notice.

“Items that have already been despatched may be subject to delays. We would like to sincerely apologise to impacted customers for any disruption this incident is causing.

“Our teams are continuing to work around the clock to resolve this disruption and we will update you as soon as we have more information. An investigation into the incident is ongoing and we are working with external experts. We have reported the incident to our regulators and the relevant security authorities.”

The Information Commissioner’s Office has confirmed it is investigating the attack.

The software attack has disabled a system that creates the dockets required by international transport operators and postal services. The disabled system is in use at six sites, including the company’s Heathrow distribution centre in Slough.

Outbound post has been stuck in depots but inbound post is largely unaffected; Royal Mail usually delivers about 200,000 items overseas every day.

According to The Times, ransom notes were delivered to Royal Mail by captured office printers located across the six sites. A picture of one of the notes was posted on social media although its authenticity has yet to be verified. It had the heading “Lockbit Black Ransomware” and said that Royal Mail’s data had been “stolen and encrypted”. It added: “This data will be published on Tor website [the dark web].”

The demand explained that Royal Mail could contact the hackers and “decrypt one file for free” on one of two given addresses on the dark web.

Lockbit has previously made ransom demands of tens of millions of pounds and is thought to have extorted about $100m (£82m) from victims over the past few years.

Cybersecurity experts said that LockBit had changed its modus operandi from just disabling systems and demanding a ransom to also stealing data because companies were getting better at backing up systems and creating work arounds.

Andrew Brandt, from the cybersecurity company Sophos, said: “LockBit has been around for several years conducting ransomware attacks but they also lease out the use of their ransomware tool to others, who then split the profit of any ransom with them.”

However, Mishcon de Reya partner and head of insurance disputes Sonia Campbell reckons the Royal Mail incident raises key issues for other businesses.

She said: “The Royal Mail cyberattack brings into sharp focus the vulnerabilities faced by firms in the face of a growing number of such attacks year on year.

“Businesses will guard against that risk through a combination of their own safeguards and controls and by securing comprehensive cyber insurance cover.

“However, media reports suggest that the attack used the ransomware Lockbit, reportedly developed and used by criminals with ties to Russia. Therefore, the announcement from Lloyd’s of London last year that cyber policies must exclude state-backed cyberattacks will be increasingly relevant to vulnerable insured businesses, with the potential for gaps in cover to emerge.”