The notorious Russian-backed LockBit ransomware group has been identified as a potential culprit behind the recent cyber incident involving the UK Postal Service.
On January 11, 2023, printers at the UK Post Service’s delivery site in Belfast, Northern Ireland began printing ransom notes while Royal Mail’s international deliveries were severely disrupted by a ‘cyber incident’. Did.
First reported note telegraph, It was headlined “Lockbit Black Ransomware”. Your data has been stolen and encrypted. “
LockBit, a prolific Russian-backed ransomware group that rose to prominence for hacking a Toronto hospital (SickKids) in December 2022, apologized and returned keys to its decryption tool for free. rice field.
Black Encryptor, part of LockBit 3.0
LockBit ‘Black’ ransomware is the latest version of the attacker’s encryption tools released in June 2022 and contains code used by the defunct Black Matter ransomware group. I got it on Twitter.
“LockBit Black” = LockBit with “borrowing” from Black Matter. It will be very interesting if this is an official affiliate or a result of a recent source code leak. #RoyalMail pic.twitter.com/vlVpZazcOx
— Rick Ferguson (@rik_ferguson) January 12, 2023
The Black cryptographic device is part of LockBit 3.0, the third version of the group’s project.
“One of the main differences from 2.0 is [version of LockBit] The group has come up with other ways to pressure and extort victims. Previously, they were given a clear period of time to pay the demanded ransom. However, in Project 3.0 the community seems to contain new possibilities for negotiation. In fact, by paying a certain fee, he was able to extend the timer to 24 hours, destroy all data from the website, or download all data immediately, ”said Cyber Security firm DuskRise explains on the Threat Intelligence blog.
Proof of LockBit link
“Sources say the notorious Rockbit gang was behind the attacks. Annual data for 2022 shows a massive 600% increase in publicly disclosed attacks by this group compared to 2021. This is not surprising because we know that we have done it,” said Blackfog’s CEO. Information security.
The ransom note printed on the Royal Mail site in Belfast also contained multiple links to the LockBit ransomware operation’s Tor data leak site and bargaining site, required to log in to chat with the attackers. It contained a unique “decryption ID”.
“The images shared online look realistic enough. It is consistent with previous LockBit ransom notes and fits the known modus operandi from at least 2021,” said Ferguson. . Information security.
However, at the time of writing, neither LockBit nor Royal Mail have yet confirmed the attribution of the attack.
Royal Mail’s international deliveries are still on hold and the postal service has not indicated when it will be able to resume.
Royal Mail reported the incident to the UK Government-run National Cyber Security Center (NCSC), the National Crime Agency and the Information Commissioner’s Office. However, no details about the nature of the incident have been made public.
Impact range
“We are waiting to see what the impact of this incident will be, but there are suspicions that millions of dollars in ransoms will be demanded and, if the ransom is not paid, the data stolen in the attack will be sent to the dark web. There’s no room,” Williams said.
Tim Mitchell, senior security researcher in Secureworks’ Counter Threat Unit, argues that “the magnitude of the impact of an incident is highly dependent on the specific affiliates involved.”
“The key players behind LockBit ransomware are arguably the most prolific ransomware-as-a-service schemes, so nearly all of the victims named on all ransomware leak sites in 2022 No wonder it accounted for one-third, and until we know more about this incident, we don’t know how long-term this will affect Royal Mail,” he said.
Image credit: Jarek Kilian / Shutterstock.com
