SEPA, the Scottish Environment Protection Agency, has confirmed that the organised hacker group, which conducted a cyber attack targeting its systems on Christmas Eve, have published 1.2 GB of information online after it refused to agree to a ransom demand.
According to SEPA, the ransomware attack was likely conducted by "international serious and organised cyber-crime groups" who targeted its contact centre, internal systems, processes, and internal communications on Christmas Eve before trying to force it to pay a ransom.
The agency said that ransomware actors stole at least four thousand internal files, amounting to 1.2GB of data, that included the personal information of staff, procurement information, such as publicly available procurement awards, information about current projects, and business information, such as publicly available site permits, authorisations and enforcement notices, and some information related to SEPA corporate plans, priorities and change programmes.
"On Thursday, 21st January 2021, as part of a broad update on data theft, service delivery and recovery, we confirmed that data stolen by what was likely to be international serious and organised cyber-crime groups has now been illegally published online," SEPA said in a recent update to the security incident.
"We have prioritised our legal obligations and duty of care on the sensitive handling of data very seriously. We’re working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals.
"We don't however yet know, and may never know, the full detail of the 1.2 GB of information stolen. Some of the information stolen will have been publicly available, whilst some will not have been," it added.
Terry A'Hearn, the chief executive of SEPA, told BBC that SEPA "won't use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds."
Commenting on cyber criminals publishing SEPA files online to force the agency to pay a ransom, Hugo van der Toorn, manager offensive security at Outpost24, says that even though paying a ransom may seem like an easier solution, SEPA has done the right thing by refusing to pay a ransom and restoring its systems from backups and by replacing affected systems.
"As you are dealing with individuals, or collectives of people, with very little ethics you cannot trust them to not blackmail you again after they digitally broke in and stole your data already," van der Toorn said.
"So although paying ransom may seem like an ‘easy way to recovery’, you can never be certain to ever regain access to your files and your network will always remain a hostile territory. Even paying the ransom would not have guaranteed that the information would not get leaked, or that a higher ransom amount is asked at a later stage."