The loss of availability Ransomware causes is enough to make your day/week/s bad, the loss of data, bad month/quarter or longer.
Lockbit posted “Royal Mail need new negotiator.” Followed by “ALL AVAILABLE DATA PUBLISHED !”
What we actually found is that they published the chat history:
Now what exactly was in this chat?
Now I’ve slightly redacted some URLs here but here is what Lockbit published (it’s literally on their website, so It’s not like there’s any secret to seeing this if you visit the Lockbit Onion site). Why publish this? Lots of people will not (and hopefully never) need to see what occurs during a negotiation with a ransomware group (criminals) so this should be educational and help people see behind what is probably a curtain to many.
So here it is:
[Chat started] 12.01.2023 13:44:06 UTC Hi. Did this work? 12.01.2023 13:44:19 UTC hi 12.01.2023 13:46:44 UTC i'm here 12.01.2023 13:46:48 UTC http://[REDACTED] 12.01.2023 13:47:01 UTC tree stolen data 12.01.2023 13:47:07 UTC password @f[REDACTED] 12.01.2023 13:47:34 UTC Now I am worried about the other link with data in the other chat. Is that link gone now? so no one sees it 12.01.2023 13:47:40 UTC If you have already downloaded it, it is no longer available 12.01.2023 13:48:54 UTC Thank you. 12.01.2023 13:49:09 UTC Is this showing all the data you have taken from us? 12.01.2023 13:49:28 UTC the link is not available, did you download the tree or download it again? 12.01.2023 13:49:41 UTC Yes, all stolen data 12.01.2023 13:50:05 UTC I did open it and download a file from it. Is that the data? 12.01.2023 13:50:15 UTC there was a tree of data stolen from us at the link. you can select some files, we will send them to you 12.01.2023 13:51:04 UTC I will open the file and show it to my management 12.01.2023 13:52:12 UTC Yes, don't delay. time is not playing in your favor. so far we have not reported the attack on our blog 12.01.2023 13:53:54 UTC to whom am I speaking? 12.01.2023 13:54:10 UTC I work in our IT. Our senior management have asked me to contact you as it said in your note 12.01.2023 13:55:54 UTC ok 12.01.2023 14:14:34 UTC what does management say? 12.01.2023 19:44:46 UTC Hi. I gave them the file. I am still waiting for them to come back to me. 13.01.2023 15:31:42 UTC ok. hurry up 13.01.2023 17:32:45 UTC We shall return to speak on Monday following the weekend and lengthy discussions with our internal stakeholders. 13.01.2023 20:00:02 UTC Try to spend them productively, and please us. our patience is not infinite 13.01.2023 20:56:51 UTC what can we expect by monday? 13.01.2023 20:58:19 UTC We will let you know 13.01.2023 20:58:47 UTC ok 13.01.2023 20:59:18 UTC Hello. We waited the time you asked for. Now it's time to pay. 16.01.2023 21:47:26 UTC Apologies for the delay as this is a lot for us to deal with. We shall get back to you tomorrow with some file names from your large list to request to see. 17.01.2023 19:12:33 UTC File: [requested_files.txt] 18.01.2023 17:16:04 UTC These are the files we would like to see that you have 18.01.2023 17:16:27 UTC http://[REDACTED] 18.01.2023 19:16:19 UTC pass pMjd07L82^VYVexJyF6etQZ31 18.01.2023 19:16:34 UTC Hello, it's time to pay. 20.01.2023 11:29:08 UTC What do we need to test your decryption ability with our files? 20.01.2023 14:54:24 UTC each machine has its own ID. In order to decrypt the file you need to take the file from one PC, and go to the chat with the ID of this PC. then the test decrypt will be successful 20.01.2023 19:30:05 UTC Okay, we'll see what we can do to identify the ID from each. Will come back to you. 20.01.2023 20:07:52 UTC Also you can send me 5-10 files, I will decrypt it for you 20.01.2023 21:28:19 UTC Use this sites File Share: [REDACTED] 20.01.2023 21:28:36 UTC Think I did this right. Here's some files: http://[REDACTED] 21.01.2023 04:00:32 UTC I also have a 6 GB file that is very important. It's associated with medical devices that can't yet be shipped out because this file is locked. Please please if you can unlock this too it will help save lives. I don't know how to send it over 21.01.2023 04:03:07 UTC File: [1.png] 21.01.2023 13:12:02 UTC File: [2.png] 21.01.2023 13:12:08 UTC File: [3.png] 21.01.2023 13:12:15 UTC File: [smh_installer.log.7z] 21.01.2023 13:12:49 UTC File: [WindowsUpdate.log.7z] 21.01.2023 13:12:58 UTC You gave me valuable files that can help restore your systems without paying for a decryptor, so I only gave back some of your files, and screenshots of the valuable files. 21.01.2023 13:22:32 UTC About 6 gigabytes of data that will supposedly save someone's life, is it one file weighing 6 gigabytes, or is it many files weighing 6 gigabytes in total? Something tells me that you are bluffing and you are doing system recovery and want to get free decryption of critical files needed for recovery. Tell me in detail what the medical equipment is and what the 6 gigabyte files are. 21.01.2023 13:24:40 UTC There are 2 files that are a combined 6 gigabytes when compressed. You know how much of our data is encrypted and when you see the files, you will understand that they will not allow us to recover. We are only pressing this because of the medical concern and we do not believe that your intent is to hurt anyone. 21.01.2023 16:28:17 UTC What are these files? What is their function? What medical equipment are these files for? And what does the postal service have to do with medical software? Where is the logic? 21.01.2023 20:35:45 UTC We are not just a postal service. We handle both letters and parcels, where roughly 60% of our business is parcels - international export of global medical supplies, contribute to a significant element of that! These supplies include vital replacement equipment parts, COVID-19 test kits, prescription drugs etc. The files that we have provided should allow us to resume shipping some of this equipment, not only here in the UK, but globally as well. Our transportation of this medical equipment does play a vital role in ensuring that people in need are being helped by these products. Given that the files are renamed, we are making our best assumption that this is the right dataset, and we would greatly appreciate the assistance. 22.01.2023 18:15:53 UTC If you pretend that you do not believe that the decryptor really works, you can send me 10-20 other less important files, e.g. not related to virtualization systems and not containing RAM dumps, you can send me personal documents, photos, and many other things that do not help you without paying for my postpaid pentest services. If you were really worried about medical equipment, just pay for my work and get a decryptor within 5 minutes. You are making multi-billion dollar profits from your business and don't want to part with the money, don't you think that's odd? It's your greed that makes the people who are waiting for their packages suffer. 22.01.2023 18:39:32 UTC We are not pretending anything and apologise if it appears that way. It is just that my management have heard that your decryptor might not work on large files, that is why they asked and wanted to see if it did. I am trying to convince them to work with you here, they are just asking for more proof of what we will get from you. As you probably know, we are already a loss making company, so we are not gaining anything from dragging this out. There are several articles on Google about our financial situation and how bad it is currently. 24.01.2023 12:51:35 UTC You can send me other large files, I will decrypt for you those files that I think are not valuable, that way you can be sure that the decryptor works on large files. Your financial situation is fine, you have a multi-billion dollar turnover, and a huge profit, the sooner you pay, the sooner this whole nightmare will be over for you. If you continue to stretch time I will be forced to publish your information on the blog with an offer to change negotiators, thank you for your understanding. 24.01.2023 13:47:58 UTC We are collecting some larger files that are not valuable to provide you. It's important for us to understand these can be decrypted of course so we appreciate you providing that opportunity to us. Ahead of this, we haven't even heard from you what it is that you want. 25.01.2023 17:27:01 UTC I'm waiting for the next batch of files to be decrypted. We want as 0.5% of your revenue. 25.01.2023 17:52:34 UTC And how much is that? 25.01.2023 17:55:27 UTC How much your revenue? 25.01.2023 17:55:48 UTC All we have had is losses. Here, you can read about it yourself. https://www.thetimes.co.uk/article/royal-mail-losses-rise-to-450m-ls8bjvv5b https://www.theguardian.com/business/2022/oct/14/royal-mail-to-cut-up-to-10000-roles-blaming-strikes-and-lower-parcel-volumes 25.01.2023 17:57:54 UTC We understand you very well, we are all suffering from the global crisis and our income has fallen as much as yours, anyway you are hundreds of times richer than us. 0.5% of annual global turnover is much less than a 4% fine from your government. 25.01.2023 18:05:40 UTC Just name the amount already so we can let the leadership know. 25.01.2023 18:12:52 UTC $80 million is 0.5% of your revenue, $640 million is 4% of your revenue. We are asking 8 times less than your state. In addition to this price you get a decrypt of your data. 25.01.2023 18:17:10 UTC Do you really think the government doesn't already know about this? Even if they were to fine us, paying you or not does not change this. 25.01.2023 18:28:24 UTC We'll get you the files and we can continue these talks later. 25.01.2023 18:32:06 UTC As long as we haven't published any of your files, you can't be fined. If you can negotiate with us, the government will be left without your $640 million. It is much better for you to negotiate with us and continue your very successful business with a long history and impeccable reputation. I personally used the services of your company and was very satisfied. I wouldn't want you to suffer so much from the government. 25.01.2023 18:32:49 UTC Talk to you later 25.01.2023 18:34:07 UTC Ok 25.01.2023 18:34:15 UTC How do I give you these large files? They are larger than your 2GB limit 26.01.2023 19:35:54 UTC My internet does not allow me to download such huge files, my internet speed is 50 kilobytes per second, send me files up to 50-100 megabytes at most. At the same time I can offer you to do the following, I will create a build of the encryptor and give you together with the decryptor, you will encrypt any files on your virtual machine and this way you can check the successful decryption of files larger than 2 gigabytes. 26.01.2023 19:46:40 UTC Okay, I guess we can try that. We just want to have confidence your decryption tool will work on these large files 26.01.2023 20:04:08 UTC You don't have to worry, thousands of people have successfully decrypted their files for almost four years. 26.01.2023 20:11:35 UTC I believe you, but we need to see it ourselves before we can consider this 26.01.2023 20:12:23 UTC http://[REDACTED] 26.01.2023 20:17:33 UTC Encrypt any of your computers or virtual machines, any amount or amount of information. Write to me via a note and I will give you a decryptor in a new chat in which you will write to me. 26.01.2023 20:18:51 UTC To start the encryption, simply run the file as administrator. 26.01.2023 20:23:33 UTC There is still some confusion over who we are, you are basing your revenue on what is a holding company and not Royal Mail Group. IDS (International Distribution Services) have several companies that exist under that umbrella who are independent to each other. We are Royal Mail International who is a separate entity, with an entirely independent Managing Director and Senior Official. Our Company’s revenue is in decline, as we have tried to explain to you previously and Royal Mail International is the Company that is affected by your penetration testing. Our current financial turnover is expected to be 800 million. Based on your calculation for payment (0.5% of total revenue) this equals 4 million dollars. If there is any negotiation at this percentage level the starting figure needs to represent what I have just described. I am trying to help our Senior Team understand this and I am grateful that you have offered to help them see that your decryptor can work to restore our services, by offering to decrypt some larger files. We will have to accept what we have for now and will see if this is good enough for them or not.. 26.01.2023 21:58:06 UTC You're bluffing, 800 million is your net profit per year, so 80 million is not that much money for you. 26.01.2023 23:41:08 UTC What company are you looking at to get those numbers? 27.01.2023 13:45:18 UTC https://en.wikipedia.org/wiki/Royal_Mail 27.01.2023 19:40:56 UTC https://en.wikipedia.org/wiki/Simon_Thompson_(Royal_Mail) 27.01.2023 19:41:15 UTC
I’m sure lots of people will dissect this line by line, for me the incident shows that the best way to negotiate a ransomware attack is to PREVENT it occurring in the first place!
This ransomware event is probably far from over, Lockbit didn’t release any data yet…. maybe they don’t have anything sensitive?
Ransomware Negotiation Themes
This is just a quick summary of themes in this chat, this should not be considered advice or a playbook:
- Make Contact
- Request for proof of data theft
- Request full list of files/data
- Request for sample (specific samples where sensitive data would be)
- Request for proof of ability to decrypt
- Advise Low Skilled/Low Authority in org
- Advise constant requirement for comms to go up to senior management (delay)
- Advise constraints on money
- Advise the threat actors have bad intelligence and that the impacted assets are part of a different org/subsidiary etc.
- Push for discounts/price reduction in relation to revenue
- Advise that it is a “big decision” and is with the board
- Keep updating the threat actors with progress, even if this is to just say “we are waiting for a board response)
- Set expectations of likely decision-making times
Now if you are worried about ransomware then you should realize it’s not a game you can’t win! There is not magic that makes ransomware work, it’s misconfigurations, vulnerabilities and a lack of investment in securing your digital assets! These events are largely NOT sophisticated, they don’t tend to leverage a chain of zero days and they often work because of misconfiguration. So let’s head over the UK NCSC and see what guidance they have:
Also look at Cyber Essentials, it covers of big chunks of activity that will help support posture improvement, it doesn’t cover every ransomware defense capability but it’s a good starting point:
I’ve also written some blogs before about defending against ransomware:
Also look at other NCSC offerings:
Remember, each network is unique, there are huge common patterns of vulnerability leveraged during ransomware events however the specific of your environment matter!
“Know yourself, know your enemy” – honestly with ransomware if you know yourself you can probably let the CTI, Marketing and Press take care of the “know you enemy part” largely. The baddies use the same techniques that penteters and red teamers (and sysadmins!) use!
You can prevent these events, it just requires deciding to do so, investing appropriately, and the enabling and supporting your staff/team/service providers to make your “NETWORK” (I mean all of it, devices, people, serves, applications, data, networks) posture strong! And don’t forget about monitoring! It doesn’t take a million queries in a SIEM to find common ransomware actions… but you need centralized logs to start with (in a format that is useful and searchable with alerting and visualisations)
Hopefully this post helps people see behind the curtain, WE CAN BEAT ransomware but it does require a whole of society, industry, academia, government and community approach! (and it requires international efforts!)
If you have made it this far, would you mind completing a really short survey for me? It’s to help me focus on subjects and content to help people