Royal Mail Ransomware Attack – Part 2

Lewis Fairburn

Marketing Manager

Lewis is the Marketing Manager here at Pentest People. Handling our brand identity, event planning and all promotional aspects of the business.

Royal Mail Ransomware Attack – Part 2

Following on from part 1 of our Royal Mail blog, our consultants take a more technical approach to the Royal Mail Ransomware attack and dive deeper into what happened.

A Recap – What Happened?

The attack against Royal Mail began on the 10th of November when the Ransomware, Emotet, was first noticed. The malware had already infected dozens of computers and servers at the company’s headquarters. On further investigation by our team, it appeared that attackers had been able to gain access to various systems through phishing emails sent out to Royal Mail employees.

What Are The Long Term Effects For Royal Mail?

The attack had significant ramifications for Royal Mail and its customers. First, the company was required to take down various systems in order to contain the infection and prevent any further damage. This resulted in disruption of many services, including email, webmail and customer accounts. In addition, the company also had to address issues caused by the disruption such as delayed mail, lost parcels and changes in delivery routes.

What Did we Learn From The Attack?

While Royal Mail is still dealing with the effects of the attack, there are lessons to be learned from this experience. The most important thing is that organisations should always have robust security measures in place and ensure they are regularly updated and tested. Furthermore, employees should be trained on how to spot potential malicious emails.

The attack highlighted the dangers of ransomware, which is becoming increasingly sophisticated and difficult to detect. It also showed how important it is for organisations to have robust security measures in place to protect their data and systems. Royal Mail has since implemented a range of new security measures including multi-factor authentication , improved monitoring and increased user training.

Finally, we can also see the importance of having a reliable disaster recovery plan in place. In the event of a cyber attack, organisations need to be able to restore their systems quickly and ensure business continuity. Royal Mail has implemented various steps to improve its disaster recovery capabilities including improving its backup processes and investing in more secure storage solutions.


By taking the right steps and learning from this experience, Royal Mail can help ensure that it is better prepared for any future attacks. It is essential that organisations stay vigilant and continue to review their security measures to protect against cyber threats. Here at Pentest People, we take a different approach to traditional testing, Penetration Testing as a Service (PTaaS) reduces your window of risk by constantly testing your systems and infrastructure, alongside your regular testing. Learn more today and get in touch.

Video/Audio Transcript

Hello and welcome to another episode of Pentest People's Tech Bite. One of the world's most important delivery companies Royal Mail has had a cyber attack. It has been linked to the Lockbit Ransomware operation, Royal Mail has disclosed that they suffered a cyber incident that forced them to hold international shipping services lockpick the company behind the organisation the world's number one paraphilic ransomware group, a spokesperson for the Royal Mail has said they are experiencing severe service disruption to the international export services following the cyber incident. On today's episode, we welcome Aaron and Louis, cyber consultants. Appreciate your time today, guys. So let's talk about this a bit more. What can you tell us about this attack?

Yes. So basically its a ransomware, as you said, it's a ransomware attack. It's something we've seen before in Britain as well. It happened with the NHS as well, although that was a little worse. So on the 11th of January, Royal Mail was a victim to this from the infamous lockpick group and basically held a bunch of their files hostage for a ridiculous sum of money to go to a undisclosed wallet, basically. So the type of ransomware that they didn't use was called Lock bit black. So this was actually locked by his latest sort of software, which is why everyone had pointed fingers at them in the first place. A few sources said they were a few sources claimed that it wasn't them. It was very back and forth for a while but as of today, stones been the 27th of January, it's come out that it was actually them stated by the sort of public spokesperson for what was there a reason? LockBit attack the Royal Mail?
Great questions, so put it simply not in particular, I believe they just sort of probably send many many malicious sort of emails out to any company possible. There was actually a post maybe over a week ago now that stated that the basically the let's say the CEO of LockBit was trying to find who did it. So they seem not very connected. I think it's all very sort of they do it themselves. Under the glory. I don't think it's any sort of like political sort of means. I don't think they did or specifically went for that to cause disruption because of the war or anything like that. I just simply think it happened. By coincidence.
I think LockBits threats are a significant concern. We can't rule out the possibility that it can take hold across many industries, organisations and businesses like the Royal Mail. Can you tell our Tech Bite listeners some of their threats?
Yep, so one of the main threats of the ransomware attack on Royal Mail is associated with financial matters in the UK economy, as this ransomware attack carried out by the LockBit group or so claimed could have had the ransom set too high for the Royal Mail to afford dependent upon the ransom demanded from the UK its financial state could be heavily impacted and greatly suffered the ransom note given to the Royal Mail stated that their data had been stolen and encrypted. Although there are workarounds associated with ransomware attacks until a resolution in the Scotland run soon, Jerome mill could be faced with events within the middle. Furthermore, we've looked at ransomware content at compile time for a ransom deadline, Royal Mail had not met the deadline or the ransom payment, they would have been likely to undergo sensitive data leakage with sensitive information and documentation being published online locked permanently or deleted or non retrievable, on the other hand before and will pay the ransom sensitive data and documentation could remain within that encrypted state and you may decide not to provide the decryption key to disable the ransomware may offer further ransom threat or intending to exploit Royal Mail for the funds as much as possible. And if there is a countdown timer, stating the deadline for the payment. Not only does this place further stress and pressure on Royal Mail as a company to meet its demands, while the company may still lose important documents, or chooses to not comply with the terms and conditions is that his promise if the ransom is paid, and if the ransom is paid off, then encourages this group to launch further attacks on more victims. If the entirety of the Royal Mail systems are susceptible to this ransomware attack, then a lot of sensitive data and documentation is at risk and other threat would be associated with the digital functionality and service or the computer systems utilised either to dispatch international deliveries will be disrupted due to the inability to function efficiently due to the cyber attack, causing both the patients and customers to suffer.

What would you say the means after the cyber criminals?

So I don't think they have any political agenda. I simply think they do it for both recognition and money. They do have, I believe, some sort of morality, as there was a case where a member of Locke bit attacked a Canadian Children's Hospital in which they provided a free decryption key to obviously get rid of the ransomware and get their files back. But I believe they will do it strictly out of for recognition, sorry, money
has locked bit managed to be active as it has at a time when everyone is trying to crack down and ransomware.
So look at our group, the husband systems, the behaviour they conducted would be described as Blackhat. Well, if the call has any ransomware would be a Blackhat intentions involved exploitation for personal gain or for the intent to cause disruption without the consideration for the consequences the following and due to technology always evolving and undergoing changes that make way for new or unnoticed vulnerabilities to be discovered by groups such as look, if an organisation is lazy with their cybersecurity measures, and only have the absolute minimum security measures in place, then the groups such as what bid or any other kind of blackout group that might be out there. See this as an opportunity. And although ransomware is being cracked down on attackers, such as locked bid, always try to remain one step ahead of their target and seeing a significantly large financial gain by attacking a target such as Royal Mail seeing a significantly large financial gain by attacking target, like Royal Mail acts as a motivation factor contributing to their malicious actions. Black Hats often drive on challenges associated with cyber security and white Boston for their own personal for their own personal reasons. Satisfaction.

As it's an early stage, it's very difficult to determine the nature of this attack. However, one can assume that due to the immediate impact it has had on operations, this was an attack on their systems. What are some other long term effects this can have on Royal Mail?

So this is a great question. But it all depends on what data and if the data gets released to the public that the association has. So it could be an absolute travesty. If public if people's public information gets leaked, this will be very devastating to the company or it might have minor effects. It all depends on what data that they actually have against Rommel, as well as losing trust of businesses. There's many cases that businesses have lost 1000s of pounds because they can't deliver their goods internationally, which not only is a loss of revenue for that business, is also a loss of revenue for the Royal Mail as well. And Royal Mail as a whole is a massive pillar for our economy.
And what do you think the remediation process looks like the Royal Mail?

Primary remediation process would look something like firstly taking the steps on anti ransomware software, such as anti viruses. So for example, an anti virus for example would be Bitdefender. And that provides tools and remediation measures to prevent ransomware from being successful and exploiting systems and locking users out. And it provides users with tools to counter counteract against ransomware. Additionally, other measures that can be taken by companies. So for example, disconnecting the internet and removing all connections, both virtually and physically, for example, storage media, physical or cloud based, as well as wired or wireless devices to establish prevention measures for ransomware having the accessibility to spread through the network. There's also the additional factor of having backups as ransomware encrypts files and threatens to delete or remove them. By having a backup copy of these files there, the company will be able to re access these files and not have them lost or permanently locked in deleted as they can quite easily restore their powers or personal documentations based on the backups that they've provided.

So for example, every another delivery company, a popular one in the UK, could there be a target?

Anyone any one or any company can be a target with blood cuts, there's no limit to who they target, they see an opportunity to exploit anyone for financial gain personal gain. That's the only motivation factor they need as long as they are that they're getting some kind of satisfaction or order out of it that benefits them personally. They will conduct that behaviour regardless of who's in contrast to other types of ransomware lockpick targets businesses and government entities mainly through malicious email attachments, lack of adequate email security and cascading file systems. What advice do you both have for people, businesses and organisation to stay safe from these threats?
So this is very important, I believe, especially for businesses out there. So I think it's very important that a lot of employees in particular have very complex passwords to begin with, it makes that harder for cracking. So password lengths of above 15. Having special characters in there as well is very important for security of the whole company. As well as this being, making sure the employees are aware of possible phishing attacks that could happen. Making sure they don't enter any details. They don't, if they're requested to log into a page via an email, they don't do that. Let's, let's say that they do do this. Another wall that can prevent any of this is having multi factor authentication, which I think is a massive help, basically means if they do get through that first sort of defence, then multi factor authentication comes in and basically, we'll put that to a stop. I believe you also touched upon this in Episode Four and five of the podcast. So which is definitely worth a look at if you haven't already, and how often should businesses change their passwords?

So with regards to your question, businesses, or people individually should change their passwords consistently, either weekly, or monthly, depending on what their preferences is. But however, the shorter the timescale is for changing your passwords as long as you're doing it consistently. The attackers or hackers or whichever malicious sources out there will struggle and find it more difficult and more challenging to gain access to your systems in an unauthorised manner.

It's been great having you both on today's pentest people tech bite before we finish, are there any closing comments from both of you on today's topic?
Yes. So back to password protection. So if you feel like it's gonna be a hassle to basically keep everything protected, you can always make sure that you have a software that will encrypt all your passwords and keep them safe for you. Which means you'll be way safer having complex passwords of up to 30 characters, which will make things a lot harder for anyone that's trying to intrude. For example, one password. One Password is an excellent tool. Yeah.
Are there any comments you'd like to add to?

I agree with what has been stated by Lewis here. One Password is obviously a great tool. There are tools available out there. And with regards to consistency, I'm always changing your password. You also have to make sure that your software is up to make sure your software and your computer is always kept up to date as some people out there who tend to avoid computer updates if they updated at once they think that it might be need to be updated again if they've done it before. That's not the case. It's always important to ensure that your software on your personal device or organisation device is hard to do.
Definitely agree with you there Aaron to finish off this podcast via mail and making good progress in dispatching items that are already in their network across all of their services. They have told people to note that there is less tracking information than usual as they continue to restart all of their services. Thank you both for the prime information about the attack and how businesses can keep safe. Follow Pentest People's Tech Bites Spotify channel for more.