Five Things the Royal Mail Ransom Transcript Leak Taught Us About Ransom Negotiations

1: Plan who will be involved in ransom communications

 Before negotiations begin, you should have a plan outlining who will be involved, (if and) what you are willing to pay and what the goal is, says Alon Schwartz, a security researcher at Logpoint Global Services.

Schwartz believes the Royal Mail negotiator had a “very well-thought-out plan” to throw the attackers. For instance, he claimed to be “a simple IT guy” who would need approval for his actions. However, in a Malwarebytes Lab article, the author, Mark Stockley, suggests the simple IT guy could have been a professional ransomware negotiator playing a role.

“Use a platform such as Signal or WhatsApp where your crisis management team and other internal teams can talk and orchestrate things”Lisa Forte

The Royal Mail negotiator, whoever it was, insisted the company couldn’t pay the ransom and continuously tried to lower it throughout the chat. “This indicates he was just buying time and sent a message to the LockBit negotiator that they were unwilling to pay,” says Schwartz.

When negotiating with attackers, it’s important that the same person remains in contact, says independent cybersecurity researcher Sean Wright. “This will help ensure the negotiation continues since the rapport was already established initially.”

He says it also helps avoid unnecessary confusion about what has been said previously.

Additionally, it’s a good idea to ensure you have in-band and out-of-band communication channels set up, says Lisa Forte, a founder of Red Goat Cyber Security. “The latter is very important. You can use a platform such as Signal or WhatsApp where your crisis management team and other internal teams can talk and orchestrate things. This provides redundancy if your primary communications channels are unavailable, and it also means if the attackers are still in the network, they can’t see what is being said.”

2: Understand your attacker

It’s helpful to know who might target your company in a cyber assault and why. Of course, attackers always follow the money, but in the case of the Royal Mail breach, cyber criminals also thought their tactics were justified. “Even when it was pointed out to the attacker that this incident could cost lives, they responded, ‘You are making multi-billion-dollar profits from your business and don’t want to part with the money; don’t you think that’s odd? It’s your greed that makes the people who are waiting for their packages suffer’,” Wright points out.

Compounding this is the sense that ransomware groups also operate like a business, he says, highlighting the line from the transcript where LockBit states: “We understand you very well – we are all suffering from the global crisis, and our income has fallen as much as yours.”

Joe Wrieden, a cyber threat intelligence analyst at Cyjax, thinks the transcript provides “a very clear insight” into the tactics used by ransomware attackers to put organisations under pressure to make payments. “One main lesson these chat logs highlight is the key role communication holds within the ransomware model and how a full recovery plan should consider the threat actor within it.”

Building an understanding of the pressure tactics used by ransomware criminals helps to remove their power over the situation, says Wrieden. “When combining a traditional recovery plan with an understanding of the adversary, you can begin to limit the influence their pressure tactics have in negotiations.”

3: Attackers don’t always win

In the midst of a breach, it’s important to remember that attackers don’t always win – and they often make mistakes. The attack poorly impacted both Royal Mail and the LockBit gang. “Although Royal Mail suffered substantial losses, there is no doubt that LockBit were also taught a lesson,” says Schwartz.

“Financing such an attack does not come cheap, so it is fair to say LockBit suffered some financial and reputational damage.”

Throughout the chat, he points out how LockBit claimed to have exact information about Royal Mail’s revenue to legitimise the ransom request. “However, the attack didn’t affect Royal Mail per se but rather Royal Mail International, a separate entity that is actually losing money.”

Worse, despite an explanation from Royal Mail International’s representative about the structure of the group and its limited means, LockBit seemed unwilling to accept its mistake.

Instead, the group appeared keener to “grandstand” and try to assert dominance in the negotiations, adds Dr Meera Sarma, CEO of cybersecurity consultancy Cystel.

This isn’t the only time LockBit targeted an organisation without doing thorough background research.

Last year, an affiliate of the group violated its rules by attacking the Toronto-based children’s hospital, SickKids. “It resulted in LockBit having to cut ties with the perpetrator and make a public apology,” says Joshua Moore, senior investigator at Dark Invader.

4: Be prepared to play the attacker at their own game

There’s no doubt about it: Ransomware negotiation involves much game-playing. First, your negotiator needs to assess whether the cyber criminals are the real deal and use delaying tactics while you work out the scope of the attack.

The negotiation between Royal Mail and LockBit shows how important it is to verify that attackers have control of your data by asking them to provide evidence such as file names or system information, Schwartz adds. “It had been verified quite quickly at the beginning of the chat between Royal Mail and LockBit, which is exactly what we would expect.”

The game-playing began very early in the conversation when the Royal Mail negotiator told LockBit, “My management have heard that your decryptor might not work on large files”.

This challenge to LockBit resulted in a detailed conversation about how criminals could prove they could decrypt large files, says Mark Stockley, a threat researcher at Malwarebytes. He calls it “an excellent tactic”.

“Nothing happens quickly when you’re dealing with large files, and the request created opportunities for numerous plausible delays and follow-up questions from Royal Mail.”

Even LockBit seemed to know it had met its adversarial match. Towards the end of the negotiation, LockBit told Royal Mail’s representative, “You are a very clever negotiator”, and “I appreciate your experience in stalling and bamboozling”.

 5: Befriend your attacker

Perhaps the hardest lesson to digest from the Royal Mail negotiation is that if you find yourself talking to a ransomware gang, you must try to make friends, says Stockley. “By being deferent and respectful, victims can humanise themselves and appeal to their attacker’s empathy.”

The Royal Mail negotiator did so by subtly positioning themselves as a separate entity from their bosses with phrases such as, “Our senior management has asked me to contact you”. At times they even hinted they were acting on behalf of LockBit with responses including, “I am trying to help our Senior Team understand this”, rather than “We are trying to understand this”, he adds.

“By being deferent and respectful, victims can humanise themselves and appeal to their attacker’s empathy” Mark Stockley

Most ransomware gangs have adopted a business dialect to describe what they do – such as referring to breaking into computer systems as ‘pen testing’, calling victims ‘customers’, and ransom negotiations ‘support’. Stockley says this suggests a certain discomfort with the reality of what they do and a desire to distance themselves from it.

The Royal Mail negotiator created a connection with their attacker by referring to LockBit’s criminal activity as “penetration testing”, Stockley points out. “Could you do that with somebody who held your livelihood in their hands?”