Daily Telegraph is reporting it’s the work of Russian hackers:
A Russia-linked ransomware gang was behind the Royal Mail cyber attack that forced it to suspend international postal deliveries leaving more than half a million parcels and letters stuck in limbo, The Telegraph can disclose.
The attack, which has paralysed the postal service’s ability to send letters and parcels abroad, was carried out by a gang called Lockbit.
Lockbit’s signature ransomware scrambles files on computers and flashes up a message demanding payment in hard-to-trace cryptocurrencies as the price for unscrambling them again.
Royal Mail declined to comment. The company said on Wednesday: “We have asked customers temporarily to stop submitting any export items into the network while we work hard to resolve the issue”.
The National Cyber Security Centre, a branch of GCHQ, is helping Royal Mail clean up and remove the malicious software. The National Crime Agency is also investigating. Both agencies have been contacted for comment.
Lockbit’s members are thought to have close links to Russia.
The gang is thought to have extorted around $100m (£82m) from its victims and previously targeted car dealership chain Pendragon as well as children’s hospitals.
A Lockbit member said in an online chat: “We benefit from the hostile attitude of the West (towards Russia). It allows us to do conduct such an aggressive business and operate freely within the borders of the former Soviet (CIS) countries.”
Sources said the attack had knocked out all of Royal Mail’s ability to process outbound international post.
Lockbit’s ransomware, known as Lockbit Black, scrambled software on Royal Mail machines used for printing vital customs dockets that are attached to parcels going overseas.
The ransom note, seen by The Telegraph, says: “Lockbit Black Ransomware. Your data are stolen and encrypted.”
Gang members also threaten to publish stolen data on a dark web site maintained by Lockbit.
“You can contact us and decrypt one file for free,” the note continues.
Royal Mail said domestic post was not affected by the ransomware attack. It declined to comment on whether it had contacted the attackers.