The notorious Russia-backed LockBit ransomware group has been recognized as potential culprits driving the current cyber-incident involving the UK’s postal provider.
On January 11, 2023, whilst Royal Mail’s intercontinental deliveries were being seriously disrupted because of a “cyber-incident,” printers at a distribution site of the UK’s postal service in Belfast, Northern Eire, started off printing ransom notes.
The take note, very first described by The Telegraph, was headlined “Lockbit Black Ransomware. Your info are stolen and encrypted”.
LockBit is a prolific Russian-backed ransomware team that was not long ago in the highlight for hacking Toronto’s Clinic for Ill Little ones (SickKids) in December 2022 in advance of apologizing and handing again the decryptor, important cost-free of cost.
Black Encryptor, Section of LockBit 3.
The LockBit ‘Black’ ransomware is the most current version of the threat actor’s encryptor, launched in June 2022 and including code employed by the defunct Black Make a difference ransomware group, Rik Ferguson, security researcher and VP of security intelligence at Forescout, pointed out on Twitter.
“LockBit Black” = LockBit with “borrowings” from Black Issue. It will be quite exciting to see if this is an official affiliate or a final result of the the latest supply code leak. #RoyalMail pic.twitter.com/vlVpZazcOx
— Rik Ferguson (@rik_ferguson) January 12, 2023
The Black encryptor is aspect of LockBit 3., the third edition of the group’s job.
“One most important detail that differs from the 2. [version of LockBit] is that the team has come up with a different way to pressure and extort its victims. Right until now, they have been offered a perfectly-defined interval of time to pay the requested ransom. However, in job 3., the collective appears to have involved new alternatives for negotiations Without a doubt, by paying out a particular fee is now attainable to lengthen the timer by 24 hours, ruin all knowledge from the internet site, or obtain all info correct absent,” cybersecurity agency DuskRise defined on its danger intelligence web site.
Proof of A LockBit Backlink
“Sources say that the notorious LockBit gang was at the rear of the attack – this does not come as a surprise to us as our once-a-year 2022 knowledge located that publicly disclosed attacks by this group enhanced a substantial 600% over 2021,” Darren Williams, founder and CEO of Blackfog, told Infosecurity.
The ransom observe printed at the Royal Mail web-site in Belfast also contained various inbound links to the LockBit ransomware operation’s Tor information leak websites and negotiation web sites, including a ‘Decryption ID’ demanded to log in to chat with the threat actors.
“The impression that has been shared on the web appears authentic adequate. It is a match for prior LockBit ransom notes and matches their regarded modus operandi due to the fact at minimum 2021,” Ferguson told Infosecurity.
Nonetheless, at the time of composing, neither LockBit nor Royal Mail have however verified the attribution of the attack.
Royal Mail’s international deliveries are nonetheless on keep, and the postal provider has not indicated when they be expecting them to resume.
Royal Mail has reported the incident to the UK’s authorities-run Countrywide Cyber Security Centre (NCSC), the Nationwide Crime Agency and the Data Commissioner’s Business office. Nonetheless, it has not publicly unveiled any specifics about the nature of the incident.
Scope of Influence
“While we wait around to see the fallout from this incident, there is minimal question that the ransom need will be in the millions and that the knowledge exfiltrated in the attack will find its way to the Dark Web if a ransom isn’t paid,” Williams stated.
Tim Mitchell, senior security researcher at Secureworks’ Counter Risk Unit argued that “the scale of the effects of the incident will very significantly count on the unique affiliate concerned.”
“The core people today driving LockBit ransomware run arguably the most prolific ransomware-as-a-assistance scheme, so it’s no surprise it accounted for practically a 3rd of named victims across all ransomware leak sites in 2022. Until eventually we know the particulars of this incident, we won’t know for absolutely sure how impactful this will be long phrase on Royal Mail,” he reported.
Some parts of this posting are sourced from: