On Jan. 10, Britain’s Royal Mail was hit by a ransomware attack that will probably be used as an example in security conference slide presentations for years to come.
On the surface, this was a fairly standard ransomware attack on a large company—in this case, the overseas mail department of a company that delivers around 8 billion letters a year.
The attack was severe, making it impossible for anyone in the United Kingdom to send or receive international mail for nearly six weeks. Sources close to the company also said the attack was by LockBit, which surprised nobody given that this is currently the world’s most active ransomware group.
But what made this attack memorable was not simply the financial damage it caused to the Royal Mail, or the fact it inconvenienced an entire nation. The unusual element of this story emerged weeks after the attack, on Feb. 14, when someone leaked the private chat logs of the negotiations that had been taking place between the company and their attackers.
For chat logs as detailed as this to make it into the public domain is almost unheard of, and will be pored over by incident response teams across the world.
Delaying Tactics
What do the exchanges between the two sides tell us about ransomware in 2023?
In a general sense, nothing terribly surprising. Ransomware attackers research their victims’ financial health and calculate an opening ransom demand as a percentage of their assumed profits.
In this case, the ransom demanded initially was $80 million, almost certainly a high figure designed to shock and unsettle the victim. In the chat, the Royal Mail negotiator relayed the response of the company board to this incredible demand:
“Under no circumstances will we pay you the absurd amount of money you have demanded.”
This riles the attacker, who shows a startling lack of self-awareness by complaining about the Royal Mail being “greedy” and not wanting to pay for the attacker’s “services.”
Enter the Professionals
More interesting are hints that the Royal Mail was represented by a professional negotiator rather than a member of the IT team. We can’t be sure of this, of course, but it’s interesting that the negotiator was able to skillfully draw out communication from Jan. 12 to Feb. 9.
Why take longer with something as difficult as a ransom negotiation?
It could be so that the defenders can assess how much data has really been stolen (the attackers usually only give samples to prove data theft). That assessment might affect how much they’re willing to pay, or perhaps whether they’re willing to pay at all.
Playing for time, of course, is a standard tactic of trained ransomware negotiators. In the end, as far as anyone knows, the Royal Mail did not pay a ransom, even after it was lowered to around $33 million.
Almost without exception, these negotiations are kept under wraps. This time, for once, we got to peek into this hidden world. The company didn’t get a decryptor, but overall, we might say that the negotiator still did a good job. Even during the worst incidents, the attackers don’t hold all the cards.
