Royal Mail is appealing to customers not to post international parcels and letters until further notice as it continues to battle the impacts of last week’s cyber-attack which has left it unable to dispatch over half a million items.
Despite working with cyber experts on the impact of the attack over the weekend Royal Mail looks no nearer to solving the problem today (16 January) and cyber experts are warning the disruption to its service could go on for weeks.
A statement on its website says the company is still suffering from “severe service disruption” to its international export services following the cyber incident which was first reported on 11 January.
It asks customers “not to post international items until further notice” to prevent a build-up of parcels and post in its network and warns that items that have already been despatched “may be subject to delays”.
It added: “Our import operations continue to perform a full service, with some minor delays. Parcelforce Worldwide export services are still operating to all international destinations though customers should expect delays of one to two days.
“Our teams are working around the clock to resolve this disruption and we will update you as soon as we have more information.
“We immediately launched an investigation into the incident and we are working with external experts. We have reported the incident to our regulators and the relevant security authorities.”
The Royal Mail investigation has found that the attack was carried out by Lockbit, a cyber-criminal gang, linked to the Russian state.
The gang used Lockbit Black, its signature ransomware to steal and encrypt RM’s data and is demanding a ransom in cryptocurrencies, which are hard to trace, before they will unlock the data.
The ransom note, seen by The Telegraph, says: "Lockbit Black Ransomware. Your data are [sic] stolen and encrypted. You can contact us and decrypt one file for free." The gang also threatened to publish stolen data on the dark web.
The National Cyber Security Centre, a branch of GCHQ, is helping Royal Mail remove the malicious software and the National Crime Agency has also started an investigation.
Lockbit is believed to have extorted an estimated £82m from previous victims, which have included children's hospitals and UK car dealership chain Pendragon.
The gang is also understood to have close links with Russia. A member of the cyber gang wrote in a blog post last year: "We benefit from the hostile attitude of the West (towards Russia). It allows us to conduct such an aggressive business and operate freely within the borders of the former Soviet (CIS) countries."
Russian authorities are known to have taken little if any action against ransomware suspects wanted internationally, even before the break down of its relations with the West, following its invasion of Ukraine.
James Hughes, chief technology officer of enterprise at cloud data management and data security company Rubrik, said it is “no surprise Royal Mail is LockBit’s latest victim since it does not have “the best record when it comes to cyber resilience”.
"When will this malicious gang be stopped? And who’s next? LockBit's continued success reiterates the pervasive threat ransomware still poses and it’s no longer a question of if a company will experience an attack, but when.
“For organisations like Royal Mail, disruptions have a drastic knock-on effect. Data is absolutely critical for its operations, and if that data becomes unavailable it won’t be able to deliver its services, literally. Responding to an attack and getting back online needs to be a priority."
He said recent attacks on major household brands have seen those companies struggle to recover their data, “with services disrupted or even shut down for weeks, if not months. Royal Mail isn’t alone though".
He added: “Research from Rubrik Zero Labs recently found that 96% of UK organisations were concerned that they wouldn’t be able to maintain business continuity after a breach.
“The cybersecurity team at Royal Mail now needs to evaluate the measures they have in place to respond to incidents, mitigate their future effects, and maintain data security.
“Ensuring data remains immutable to deletion or change will enable them to roll back to a clean version in order to maintain business continuity.”