{ "id": "e2b062bb-12f2-41b9-8ce5-5282a67ca579", "created_at": "2026-04-06T00:08:34.733332Z", "updated_at": "2026-04-10T03:23:52.3401Z", "deleted_at": null, "sha1_hash": "3a1b9b3f4357b41fa036f97f642266fdb7de6019", "title": "LockBit ransomware gang claims Royal Mail cyberattack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2330218, "plain_text": "LockBit ransomware gang claims Royal Mail cyberattack\r\nBy Sergiu Gatlan\r\nPublished: 2023-02-07 · Archived: 2026-04-05 15:08:03 UTC\r\nThe LockBit ransomware operation has claimed the cyberattack on UK's leading mail delivery service Royal Mail that\r\nforced the company to halt its international shipping services due to \"severe service disruption.\"\r\nThis comes after LockBitSupport, the ransomware gang public-facing representative, previously told BleepingComputer that\r\nthe LockBit cybercrime group did not attack Royal Mail.\r\nInstead, they blamed the attack on other threat actors using the LockBit 3.0 ransomware builder that was leaked on Twitter\r\nin September 2022.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-royal-mail-cyberattack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-royal-mail-cyberattack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nLockBitSupp failed to explain why printed Royal Mail ransom notes seen by BleepingComputer included links to LockBit's\r\nTor negotiation and data leak sites rather than ones operated by another threat actor.\r\nLockbit Black ransom note printer during the attack on Royal Mail (Daniel Card)\r\nHowever, LockBitSupp confirmed that LockBit was indeed behind the attack in a post on a Russian-speaking hacking forum\r\nafter determining that one of their affiliates deployed the gang's ransomware payloads on Royal Mail's systems.\r\nThe ransomware gang's representative also added that they would only provide a decryptor and delete data stolen from\r\nRoyal Mail's network after a ransom is paid.\r\nAt the moment, the entry for the Royal Mail attack on LockBit's data leak site says stolen data will be published online on\r\nThursday, February 9, at 03:42 AM UTC.\r\nRoyal Mail entry on LockBit's data leak site (BleepingComputer)\r\nAttack described as a \"cyber incident\"\r\nRoyal Mail first detected the attack on January 10 and hired outside forensic experts to help with the investigation.\r\n\"Incident was detected yesterday, UK/ domestic mail remains unaffected,\" a Royal Mail spokesperson told\r\nBleepingComputer on January 11 when we reached out for more details.\r\n\"We're experiencing disruption to our international export services and are temporarily unable to despatch items to overseas\r\ndestinations,\" the company tweeted.\r\n\"Please do not post any export items while we work to resolve the issue. Sorry for any disruption this may cause.\"\r\nThe company also reported the incident to UK security agencies and is investigating the incident alongside the National\r\nCrime Agency and UK National Cyber Security Centre (NCSC).\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-royal-mail-cyberattack/\r\nPage 3 of 4\n\nHowever, Royal Mail is yet to acknowledge that it's dealing with a ransomware attack that could likely lead to a data breach\r\nsince LockBit ransomware operators are known for stealing data and leaking it online if their ransom demands are not met.\r\nFor now, the company is still describing the attack as a \"cyber incident\" and says that it has restored some of the services\r\nimpacted by the attack.\r\nLast month's incident follows a November 2022 outage that led to the Royal Mail's tracking services being unavailable for\r\nmore than 24 hours.\r\nRoyal Mail's recurring IT issues come at a time when its mailing services are already strained amid planned national strikes\r\nand ongoing negotiations with the Communication Workers Union.\r\nH/T Dominic Alvieri\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-royal-mail-cyberattack/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-royal-mail-cyberattack/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-royal-mail-cyberattack/" ], "report_names": [ "lockbit-ransomware-gang-claims-royal-mail-cyberattack" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434114, "ts_updated_at": 1775791432, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a1b9b3f4357b41fa036f97f642266fdb7de6019.pdf", "text": "https://archive.orkl.eu/3a1b9b3f4357b41fa036f97f642266fdb7de6019.txt", "img": "https://archive.orkl.eu/3a1b9b3f4357b41fa036f97f642266fdb7de6019.jpg" } }