Royal Mail’s recovery from ransomware attack will cost business at least $12M
First time hard figure given on recovery costs for January incident
Royal Mail's parent International Distributions Services has revealed for the first time the infrastructure costs associated with its January ransomware attack.
LockBit's attack has driven costs up across various areas of the Brit business, but improvements to the corporation's Heathrow Worldwide Distribution Centre – the target of the attack – will cost the biz £10 million ($12.4 million) it said today in a regulatory filing.
The total costs related to the attack are likely to be higher but International Distribution Services, or IDS, has not pinned hard figures to these. The Register approached Royal Mail for additional information but it did not respond.
LockBit's attack primarily impacted Royal Mail's international shipping business, with operations taking much longer than domestic processes to resume normal service.
Today's regulatory filing [PDF] showed that the company's international revenue has declined 6.5 percent year-on-year (YoY), a drop of £22 million ($27 million), in part due to the cyber attack it sustained.
The drop in revenue was linked to a near-equal fall in parcel volume at 5 percent, a stat that was again in part caused by the cyberattack.
"International parcel volumes, including import and export parcels for Royal Mail and Parcelforce Worldwide, were down 5 percent year-on-year, a result of the global macroeconomic backdrop, the cyber incident in January 2023, and recovery from industrial action," it said. "International parcel revenue decreased 6.5 percent year-on-year."
The drop in international parcels revenue is just a small part of the group's total half-year losses, which stand at £319 million ($395.8 million).
A large proportion of these losses has been attributed to the April agreement with the Communication Workers Union (CWU) to raise staff pay by 10 percent over three years. The company previously said it earmarked £61 million ($75.6 million) for the additional one-off £500 payment also given to staff this year.
IDS' board remains "concerned" about the financial performance of Royal Mail, but acknowledged the trading conditions it faced throughout the year being highly challenging.
However, compared to the company's previous preliminary results from March this year, two months after the ransomware attack, international revenues have improved despite being down overall.
At the time IDS reported that revenues were down 12.2 percent with a 7 percent drop in parcel volumes being impacted by the cyberattack and less consumer spending due to the cost of living crisis.
Royal Mail recap
Royal Mail had a rough start to 2023 after it confirmed it had fallen victim to a cyberattack barely two weeks into the new year.
It took a few days and some confusing chats with LockBit itself, but it was ultimately confirmed to be a ransomware attack carried out by a LockBit affiliate.
Details of the attack were slow to disseminate but it all came to a head the following month after LockBit set the ransom at $80 million – a demand Royal Mail refused to pay.
LockBit then took the unusual step of leaking the entire negotiation history between itself and Royal Mail.
- Royal Mail cybersecurity still a bit of a mess, infosec bods claim
- CDW data to be leaked next week after negotiations with LockBit break down
- LockBit brags: We'll leak thousands of SpaceX blueprints stolen from supplier
- Brits open doors for tech-enabled fraudsters because they 'don't want to seem rude'
Early chats showed Royal Mail's negotiators seemingly trying to trick LockBit into unwittingly allowing it fully recover without paying the ransom. They did this by asking for proof the decryptor worked using two key files they said would allow Royal Mail to continue shipping medical supplies.
LockBit later realized that the two files it was asked to decrypt as proof would have then allowed Royal Mail to recover its systems, forgoing the ransom payment.
Negotiations lasted nearly a month, from January 12 to February 9, but Royal Mail went silent for nearly a week before that final date. It never appeared willing to pay the ransom and employed a number of stalling techniques.
Dirk Schrader, Field CISO EMEA and VP of Security Research at Netwrix, told The Reg:
“Coming out of a breach is in itself, a painful ordeal, as quite often the breached organization – in order to find the aspects in its cyber security architecture that need improvement – goes through in detail all the steps that led to the breach initially. This forensic effort is the much-needed starting point for any organization’s initiative to improve itself, to learn its mistakes, and be better positioned for the next attacks.
“When cyber-resilience is emphasised in that effort, organizations would likely map out their business process and connect the process steps with the IT systems involved in them, to find critical points and single point of failures. Once these critical systems are identified, they should make sure these devices are verified from every attack layer. It is defined and monitored which kind of data is processed by these, is the data relevant for the process; who has access and privilege to those systems, is that reduced to the absolute minimum necessary; is the system, the infrastructure itself hardened and only those services and applications supporting the business process are active on it.” ®