A cyberattack on Royal Mail, the UK’s largest mail delivery service, has been linked to the LockBit ransomware operation.

Yesterday the Royal Mail revealed that they experienced a cyber incident which forced them to stop international shipping services.

“Royal Mail is experiencing a severe service disruption to our international export services following a cyber incident,” Royal Mail revealed in a service update.

Although Royal Mail did not provide any details of the cyberattack, they said they were working with external cybersecurity experts and informed UK regulators and law enforcement.

LockBit ransomware encryptor used in attack

As first reported by The telegraphthe attack on Royal Mail is now confirmed to be a ransomware attack by Operation LockBit, or at least someone using its ciphers.

The Telegraph reports that the ransomware attack encrypted devices used for international shipments and caused ransom notes to be printed on printers used for customs slips.

BleepingComputer has seen an unredacted version of the printed ransom notes and can confirm that they include Tor websites for the LockBit ransomware operation.

The ransom note states that it was created by “LockBit Black Ransomware”, which is the last cipher of the operation name because it includes code and functionality from the now-closed BlackMatter ransomware gang.

The note also contains several links to Tor data leak sites and LockBit ransomware operation trading sites, including a “decryption ID” required to log in to chat with threat actors.

However, BleepingComputer has been informed by several security researchers that this “decryption ID” does not work.

It’s unclear whether the ransomware gang removed the ID after hearing about the circulating ransom notes or moved negotiations to a new ID to avoid scrutiny from researchers and journalists.

BleepingComputer contacted LockBitSupport, the public representative of the ransomware operation, and was told they did not attack Royal Mail and blamed it on other threat actors using their leaked builder .

In September, the LockBit 3.0 ransomware generator leaked on Twitter. This allowed other threat actors to run ransomware operations based on the LockBit cipher.

LockBitSupp’s explanation fails to explain why the Royal Mail ransom notes included links to LockBit’s Tor trading and data leak sites rather than the sites of other threat actors who allegedly use the builder.

However, if LockBitSupp is telling the truth and other threat actors used the leaked constructor in the attack, that would mean that it was probably a destructive attack rather than an attack for personal gain. , as there is no way to contact the actual attackers.