Hackers publish data stolen from SEPA as the agency refuses to pay ransom

SEPA says it will not use public finance to pay criminals

Hackers behind the ransomware attack on the Scottish Environmental Protection Agency (SEPA) have published about 4,000 stolen files, as the Agency continues to resist demands to pay.

In an update on its website, SEPA confirmed that the data stolen from the agency's systems has been published on the web by cyber criminals.

"We're working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals," SEPA's chief Terry A'Hearn stated.

"We've been clear that we won't use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds," he added.

SEPA is the environmental regulator of the Scottish government. It is a non-departmental public agency - tasked with protecting the country's environment.

The Agency first identified the ransomware attack on Christmas Eve. The attack was so serious that it knocked many of the agency's critical IT systems offline, and disrupted public services. SEPA's email systems were also affected, and are still down.

An initial investigation concluded that a highly organised, international cyber-crime group cyber attack launched the attack, with an intention to extort public funds. Soon after, the operators of the Conti ransomware claimed the responsibility.

Conti was first noticed in May 2020. The operators claim that their ransomware has successfully been used to breach more than 150 victims in the past seven months, generating profits of several million dollars.

The group stole nearly 1.2GB of data in the attack on SEPA, including employee information, business and procurement data, and details of some projects.

SEPA says that it has adapted priority services like flood forecasting and monitoring to the situation following the attack, and those services continue to operate despite disruption in other IT systems.

The agency is currently working with the National Cyber Security Centre (NCSC), Scottish government and Police Scotland to mitigate the attack and identify the hackers. It has also set up a dedicated data loss support website, contacting affected staff, and providing support and guidance to business and supply chain partners.

SEPA says it is taking professional advice from cyber security experts for the recovery of its affected systems, which take some time.

Michael McCullough, a detective inspector at the Scottish Police Cybercrime Investigation Unit, revealed that the investigation was still in initial stage, and that the efforts were ongoing including "the deployment of specialised cybercrime resources" to support the response.