cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

LockBit leaks Royal Mail negotiations log, stolen data remains hidden

LockBit has leaked the transcript of its negotiations with Royal Mail, revealing a ransom demand of over AU$114 million.

user icon Daniel Croft
Thu, 16 Feb 2023
LockBit leaks Royal Mail negotiations log, stolen data remains hidden
expand image

The chat log was leaked only days after the latest payment deadline of 14 February. While Royal Mail didn’t pay, the attackers are yet to post the alleged stolen data.

The negotiation transcript began on the day of the attack, 12 January, and ended on 9 February, the original payment deadline, according to ITPro.

The log offers a rare look at the negotiation tactics of both cyber criminal organisations and cyber defenders, in this case, the National Cyber Security Centre and the National Crime Agency.


According to the transcript, LockBit confused Royal Mail with Royal Mail International, claiming that the fee of AU$114.5 million (£65.7 million) made up only 0.5 per cent of the latter’s annual revenue. It also pointed out that this payment would cost less than the 4 per cent fine it would receive from the Information Commissioner’s Office if the data became public.

Royal Mail responded saying that it was actually the smaller British subsidiary of Royal Mail International, its annual revenue was only £800 million, and that financial issues were affecting the institution of late, linking an article from The Times as proof.

LockBit initially refuted these claims, to which Royal Mail responded saying that it would never pay the “absurd” ransomware demand.

“Under no circumstances will we pay you the absurd amount of money you have demanded,” said Royal Mail in the transcript.

“We have repeatedly tried to explain to you we are not the large entity you have assumed we are, but rather a smaller subsidiary without the resources you think we have. But you continue to refuse to listen to us.

“This is an amount that could never be taken seriously by our board.”

LockBit invited Royal Mail to provide counter offers, invitations which were ignored by the British institution.

On 1 February, LockBit lowered its demand to roughly AU$100 million (£57.4 million). Two days later, on 3 February, Royal Mail negotiators took the new demand to its board, leaving LockBit to wait for a response.

On 6 February, Royal Mail sent its last message, saying it was still awaiting a response.

LockBit extended the deadline to 14 February in an effort to restart negotiations, however Royal Mail ignored this.

The chat log, if indeed real, suggests that Royal Mail never intended to pay ransom.

“You are a very clever negotiator, I appreciate your experiencing in stalling and bamboozling, when you are trying to deceive you need to provide evidence for greater credibility, only a fool would believe in the honest word of a lawyer defending his client,” said LockBit during negotiations.

This is a move that has been supported by government institutions worldwide, such as the FBI and the UK’s National Cyber Security Centre.

Australia’s own government has also taken a stance against paying ransomware payments, with Minister for Home Affairs and Cyber Security Claire O’Neil saying that the government is considering outlawing paying hackers demands.

LockBit has said that the data it stole from Royal Mail has now been posted to its dark web site, although it is not yet available to view, suggesting that the group had no stolen data to leak in the first place.

The hacking group has held institutions for ransom in the past without having actually stolen data, such as with Thales and Mandiant.

Despite the deadline having been passed, Royal Mail is not out of trouble yet, with the British postal service still experiencing service disruptions over a month after the attack.

In a press release updated on 15 February, the organisation said that it had made progress in restoring its services, but that in certain areas, customers should expect delays.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.