30 Mar 2023
by Jordan Wain

Your money or your data: Ransomware, the new cost of doing business? (Guest blog by Chainalysis)

Guest blog by Jordan Wain, Head of UK Policy, Chainalysis

At over 500 years old, the UK’s Royal Mail is one of the world's oldest organisations. Through societal and political change and the changing face of criminal activity, it has continued to provide a key service to companies, customers, and communities. Though a far cry from the highwayman of years past, 2023 saw Royal Mail face an altogether familiar demand for payment delivered in a decidedly modern way.

The Threat of Ransomware

Lockbit, one of the most notorious international ransomware strains, was used to target Royal Mail in January 2023. This resulted in sensitive data becoming encrypted and demands that an $80 million ransom be paid to prevent the data from being leaked. The attack led to a significant disruption to Royal Mail’s international export services and the prospect of sensitive data being leaked. On February 23, Lockbit carried out its threat and leaked the data. Despite the initial disruption, Royal Mail has stated that it is now processing close to normal daily volumes, suggesting its operational recovery is complete.

What happened with Royal Mail provides the perfect example of some of the ransomware trends that our data on digital asset value flows revealed, which we discuss in the Chainalysis 2023 Crypto Crime Report.

2022: Ransomware revenue on the decline…but why

2021 was a record year for ransomware attackers who received $765.6 million worth of ransom payments denominated in cryptoassets from victims. This contrasts starkly with our current estimate of $457 million for 2022. But why the steep decline?

The decline isn’t down to a decrease in the number of ransomware attacks, but can be attributed to two main trends, both of which we see in the attack on Royal Mail.

  1. Ransomware victims are increasingly unwilling to pay

As revealed by the leaked data, which contained a transcript of the lengthy discussion between Lockbit and Royal Mail, the demands for payment were dismissed. Their decision not to pay tallies with an observed decline in victim payments since June 2022. Data provided by Coveware attest to this trend citing on an annual basis that 41% of victims paid in 2022 vs 76% in 2019.

  1. Ransomware victims don’t need to pay

Cyber insurance firms, which reimburse victims for ransomware payments, can increasingly assist firms in recoveries from a cyber attack and demand better cybersecurity measures before insuring firms. This has helped harden firms' defences to stop them from falling victim to attack and pivoted mindsets towards prevention.

  1. Law enforcement is becoming increasingly sophisticated at using the tools to identify and trace illicit activity involving digital assets. 

When news of the Royal Mail attack broke, the National Cyber Security Centre (NCSC) announced its involvement alongside the National Crime Agency (NCA). Once again, returning to the transcript, professionals likely strategised the discussion. At the same time, the outcome aligns with the NCSC approach that dissuades victims from paying ransoms.

Dutch police action on the Deadbolt ransomware strain with the assistance of Chainalysis tools is another example of this trend, where law enforcement agencies are tackling this new threat head-on. They are increasingly aware of the attack vectors and tactics being used and of the tools and third parties they need to counter them.

What’s Next

In the UK, as we look forward to the next steps from the Joint Committee on the National Security Strategy (JCNSS) inquiry into ransomware, we must stay one step ahead of ransomware attackers. Commitment and resources are required from the government and law enforcement to ensure that the crackdown on ransomware continues and that the use of digital assets and the blockchain becomes increasingly uncomfortably transparent for criminals.

Follow this link to access our latest findings on digital asset crime in 2022

National Security Programme

techUK's National Security programme aims to lead debate on new and emerging technologies which present opportunities to strengthen UK national security, but also expose vulnerabilities which threaten it. Through a variety of market engagement and policy activities, it assesses the capability of these technologies against various national security threats, developing thought-leadership on topics such as procurement, innovation, diversity and skills.

Learn more

26 – 27 September 2024

Resilience Conference

London Partner event
17 June 2024

TechNExt 2024

Opencast HQ, The Kiln, Hoults Yard, Newcastle Upon Tyne, NE6 1AB

National Security updates

Sign-up to get the latest updates and opportunities from our National Security programme.





Jordan Wain

Head of UK Policy, Chainalysis