Ransomware Attack

Up to 4,000 stolen files have been released by hackers who launched a ransomware attack against the Scottish Environmental Protection Agency on Christmas Eve.

On the heels of a ransomware attack against the Scottish Environmental Protection Agency (SEPA), attackers have now reportedly published more than 4,000 files stolen from the agency – including contracts and strategy documents.

After hitting SEPA on Christmas Eve with the attack, cybercriminals encrypted 1.2GB of information. The attack has affected SEPA’s email systems, which remain offline as of Thursday, according to the agency. However, SEPA, which Scotland’s environmental regulator, stressed on Thursday that it will not “engage” with the cybercriminals.

“We’ve been clear that we won’t use public finance to pay serious and organized criminals intent on disrupting public services and extorting public funds,” said SEPA chief executive Terry A’Hearn in a statement.

2020 Reader Survey: Share Your Feedback to Help Us Improve

The agency is charged with protecting Scotland’s environment via national flood forecasting, flood warnings and more. As such, the stolen data included various information related to environmental businesses – including publicly-available regulated site permits, authorizations and enforcement notices, as well as data related to SEPA corporate plans, priorities and change programs. Other compromised data was related to publicly available procurement awards and commercial work with SEPA’s international partners. Also stolen was the personal data of SEPA’s staff.

Despite these broad categories, SEPA said it still does not know – and may never know – the full details of all files stolen. Some of the compromised information was already publicly available, while other data was not, it confirmed.

“Working with cyber security experts, a dedicated team has been established to identify the detail of business or partner information loss and, where identified, direct contact will be made as quickly as possible with affected organizations,” according to SEPA.

SEPA’s email and other systems remain down, and “it is now clear is that with infected systems isolated, recovery may take a significant period,” according to the agency in its update. “A number of SEPA systems will remain badly affected for some time, with new systems required.”

What’s still unclear is how the ransomware attack first started and how much attackers are demanding in terms of a ransom payment. Regardless of the ransom amount, attackers are now putting more pressure on the agency to pay up: This data has now been thrown out on underground forums. According to reports, hackers said on their website that almost 1,000 people so far have viewed the compromised documents.

Brett Callow, threat analyst with Emsisoft, told Threatpost that the Conti ransomware gang has taken responsibility for the attack.

“Attacks on governments have become increasingly common over the last couple of years, and will almost certainly continue at the current level until some positive action is taken,” said Callow. “That may be investing to bolster security in the public sector, using policy to close the enforcement gap or finding other ways to make ransomware less profitable or any combination of these.”

Ransomware actors are also looking at government and public sector victims for rooting out personal data. In 2019, up to 22 Texas entities and government agencies were hit by a ransomware attack that Texas officials say was part of a targeted attack launched by a single threat actor. And in October 2020, the National Guard was called in to help stop a series of government-focused ransomware attacks in Louisiana.

The incident also points to ransomware actors evolving from previously destroying critical data or bringing companies’ services and operations to a standstill, to now threatening to disclose sensitive data publicly, Joseph Carson, chief security scientist and Advisory CISO at Thycotic told Threatpost.

“It’s no longer good enough to have solid backups to protect against ransomware,” Carson told Threatpost. “Strong access controls and encryption are now vital to prevent data being easily stolen and released.  As ransomware evolves, we must also evolve our protection to reduce the risk of falling victim to it.”

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!