Royal Mail — LockBit ransomware

What happened

On 11 January 2023, Garmin Connect customers woke to find their GPS and fitness devices struggling to sync. For Royal Mail, on that same day staff at international shipping facilities found their systems displaying a ransom note: LockBit ransomware had encrypted the systems Hydro operated to process and dispatch parcels and letters overseas. Domestic mail was unaffected; the breach was contained to the international export infrastructure. But that was sufficient to suspend overseas postal services entirely for a country that sends parcels to more than 230 destinations worldwide.

Royal Mail issued an immediate public statement asking customers and businesses to stop submitting international items until further notice. The impact fell hardest on small businesses that had built international operations around Royal Mail’s services and had no immediately available alternative at comparable price points. Couriers and logistics competitors reported a surge in enquiries as businesses sought substitute carriers.

LockBit, operating through one of its affiliates, claimed responsibility and published a ransom demand of £65.7 million. Royal Mail CEO Simon Thompson told a UK parliamentary committee that the demand was “absurd” — equivalent to roughly 6% of annual group revenue — and confirmed the company would not pay. Recovery was pursued via backup restoration and system rebuilding, with international services returning in stages across February and March, and full restoration declared in April 2023. The total disruption lasted approximately six weeks for most destinations and longer for some.

LockBit responded to Royal Mail’s refusal to pay by publishing the entire negotiation transcript on its leak site in February 2023. The transcript — running to thousands of words of dialogue between a LockBit negotiator and a Royal Mail representative — became one of the most-read documents in the cybersecurity community that year, providing a public account of the mechanics of ransomware extortion from the inside.

How it worked

The entry vector for the Royal Mail attack was publicly identified by researchers as the Fortra GoAnywhere MFT (Managed File Transfer) vulnerability, CVE-2023-0669, a zero-day remote code execution flaw that LockBit and Cl0p affiliates exploited extensively against organisations globally in early 2023. GoAnywhere MFT is used by large organisations to transfer files internally and with external partners; Royal Mail used it as part of its international dispatch infrastructure. The vulnerability was disclosed publicly in early February 2023 with a patch, but exploitation had already begun weeks before disclosure.

LockBit operated as a ransomware-as-a-service platform, providing affiliates with the encryption malware, infrastructure, and negotiation support in exchange for a percentage of any ransom paid. The affiliate responsible for the Royal Mail attack operated with a degree of autonomy within the LockBit framework; the negotiation transcript revealed that the LockBit negotiating representative and the affiliate had different priorities and occasionally communicated those tensions to Royal Mail’s representative. This gave analysts a rare view into the internal dynamics of a RaaS operation.

The negotiation transcript itself was notable for several things: the LockBit negotiator’s use of pressure tactics including deadline extensions and data-leak threats; Royal Mail’s representative using delay tactics and questioning the legitimacy of the demand; and both parties’ evident awareness that the transcript would ultimately become a public document. LockBit explicitly warned during negotiations that publishing was the consequence of refusal to pay. When Royal Mail declined, LockBit followed through, publishing not only the transcript but internal Royal Mail documents including operational data and employee files.

Timeline

• Early January 2023 — LockBit affiliate exploits CVE-2023-0669 in Royal Mail’s GoAnywhere MFT deployment to gain access.
• 11 January 2023 — LockBit ransomware deployed against Royal Mail’s international export systems. Ransom note displayed. Royal Mail detects the incident.
• 11 January 2023 — Royal Mail issues public statement asking customers to stop submitting international items.
• January–February 2023 — Ransom negotiations between Royal Mail and LockBit affiliate; demand set at £65.7 million.
• February 2023 — Royal Mail CEO tells parliamentary committee the demand is “absurd” and confirms refusal to pay. LockBit publishes the negotiation transcript and stolen data on its leak site.
• February 2023 — Fortra discloses CVE-2023-0669 publicly and issues patch. CISA publishes advisory on GoAnywhere MFT exploitation.
• February–March 2023 — Royal Mail restores international services progressively by destination.
• April 2023 — Royal Mail declares full restoration of international postal services.
• February 2024 — LockBit disrupted by Operation Cronos, an international law enforcement action led by the UK National Crime Agency and US DOJ.

What defenders should learn

The GoAnywhere entry point is a lesson in patch and exposure management for internet-facing file-transfer infrastructure. GoAnywhere MFT, MOVEit Transfer, Accellion FTA — the pattern of attackers targeting managed file-transfer platforms is consistent and well-established. These platforms are disproportionately valuable targets because they sit at the boundary between internal systems and external partners, hold files of significant sensitivity, and are often operated by a specific team who may not be plugged into rapid security-patch cadences. Any organisation running a managed file-transfer platform should treat it as a priority asset for vulnerability scanning, patch management, and inbound connection monitoring.

The publication of the negotiation transcript is an intelligence windfall that the security community should extract maximum value from. The transcript makes visible exactly how LockBit managed pressure: the initial demand sized to feel negotiable but remain very large; the use of data-leak publication as a countdown threat; the extensions offered to maintain the appearance of reasonableness; the point at which the negotiator made clear that all further concessions were exhausted. Incident responders and legal teams preparing for the possibility of ransomware negotiation should read the transcript in full as pre-event preparation.

Royal Mail’s refusal to pay and subsequent public transparency — including the parliamentary testimony — contributed to the quality of the public record around LockBit’s operations. That transparency assisted the law-enforcement operation that ultimately disrupted LockBit in February 2024. Operation Cronos resulted in the seizure of LockBit’s infrastructure, the unmasking of the group’s principal administrator (known as LockBitSupp, identified by the UK NCA as Russian national Dmitry Khoroshev), and the brief repurposing of LockBit’s own leak site to publish counter-intelligence about the group. The Royal Mail incident is a thread in the longer story of LockBit’s eventual disruption.