Royal Mail LockBit ransomware

On 10 January 2023, Royal Mail International — the U.K. national postal operator's overseas-bound mail and parcel service — discovered that LockBit ransomware had encrypted the systems responsible for export processing. Within hours, the U.K.'s entire international postal capability was offline. The disruption lasted six weeks; Royal Mail publicly refused the £65.7M ransom demand, and LockBit responded by leaking the data it had exfiltrated.

The incident became the most-watched U.K. ransomware incident of 2023, contributing to the operational pressure that culminated in Operation Cronos the following year.

What happened

LockBit affiliates accessed Royal Mail's Distribution and Mailing International (DMI) infrastructure — the segment handling overseas parcels, tracked international services, and export documentation. The intrusion vector has not been publicly detailed; the encryption event of 10 January was the first indicator visible to Royal Mail.

The blast radius was unusually well-contained to one operational segment:

• International export: parcels, letters, tracked items — all halted.
• Track and trace: customers could not see status of in-flight overseas mail.
• Domestic U.K. mail: unaffected. The internal Royal Mail network had been segmented from DMI, which limited the spread.

Royal Mail's public communications initially called the event a "cyber incident" rather than ransomware. The DMI service offered customers refunds for paused parcels and asked them to stop submitting overseas mail. The disruption affected:

• U.K. exporters of physical goods (small and mid-sized businesses dependent on Royal Mail International for cross-border shipping).
• Individuals shipping internationally.
• U.K. expatriates and overseas residents awaiting U.K.-origin mail.

Refusal and leak

By late January, public negotiating logs leaked onto Twitter and security press channels — apparently as part of LockBit's own pressure campaign. The logs showed LockBit demanding $80 million for the decryptor and non-publication, with the negotiator from Royal Mail responding with substantive pushback:

"Under no circumstances will we pay you the absurd amount of money you have demanded." — Royal Mail negotiator, per leaked LockBit chat logs

On 2 February 2023, Royal Mail formally confirmed it would not pay. LockBit responded:

• Publishing proof-of-life sample data on its leak site.
• Then, beginning 23 February, publishing the full exfiltrated dataset — operational documents, internal emails, technical specifications, employee details.

Royal Mail restored international tracked services on 24 February 2023 — the day after LockBit began publishing the bulk data. The dataset has been publicly available on dark-web sources since.

The LockBitSupp evasion

In the days after the attack, LockBitSupp — later identified as Dmitry Khoroshev — engaged in an unusual public exchange on Twitter, denying that LockBit was responsible for the Royal Mail attack and attributing it to a "rogue affiliate" who had stolen the LockBit builder code. The disavowal was widely interpreted as a face-saving response after the operation had attacked a politically sensitive U.K. target — LockBit's nominal operating rules prohibited attacks on critical infrastructure, which Royal Mail arguably represented.

The leaked chat logs subsequently confirmed that LockBit's mainline affiliate program had run the attack. LockBitSupp's claimed dissociation was, per security analyst consensus, reputation management.

Impact

• Six weeks of international postal disruption in the U.K.
• ~£10 million in direct revenue loss and operational impact, per Royal Mail's annual report.
• ~£40-60 million total cost including remediation, customer refunds, and brand impact.
• Operational pressure on LockBit: the U.K. NCA's Operation Cronos build-up began in earnest in the months following Royal Mail, with the Royal Mail attack cited internally as a motivating factor for the dedicated multi-agency effort.

Why it matters

Royal Mail / LockBit is the canonical case for ransomware against critical postal infrastructure. It established:

• That public refusal to pay by a U.K. quasi-public body is operationally viable, given strong leadership support and the option to accept the leak as a sunk cost.
• That LockBit's "no critical infrastructure" rule was unenforceable against its own affiliate program. The disavowal demonstrated that the central operation could not stop affiliates from attacking politically sensitive targets even when doing so created brand risk for LockBit.
• That dark-web leak data is permanent — Royal Mail's internal documents continue to circulate.
• That segmentation works: the breach was confined to DMI because Royal Mail had separated international processing from domestic. This is the most-actionable lesson; many large enterprises lack equivalent segmentation between operational segments.

The eventual Operation Cronos takedown of LockBit infrastructure in February 2024 was driven in significant part by U.K. concerns about LockBit's continuing operational impact on U.K. organisations — Royal Mail being the most-cited example.