Hackers publish thousands of files after government agency refuses to pay ransom

Ransomware gang publishes stolen data after Scottish Environment Protection Agency (SEPA) refuses to pay ransom - as agency confirms operations remain disrupted.
Written by Danny Palmer, Senior Writer

The hackers behind the ransomware attack on the Scottish Environment Protection Agency (SEPA) have published thousands of stolen files after the organisation refused to pay the ransom.

Scotland's government regulator for protecting the environment was hit with a ransomware attack on Christmas Eve, with cybercriminals stealing 1.2 GB of data in the process. Almost a month on from the attack, SEPA services remain disrupted – but despite this, the agency has made it clear it won't engage with those behind the attack.

Also: Best VPNs • Best security keys • Best antivirus     

SEPA hasn't confirmed what form of ransomware it has fallen victim to, but the Conti ransomware gang claimed responsibility for the attack.

As a result of the non-payment, Conti has published all of the stolen data on its website, posting over 4,000 documents and databases related to contracts, commercial services and strategy. The latest update from SEPA confirms that at least 4,000 files have been stolen and published.

"We've been clear that we won't use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds," said Terry A'Hearn, chief executive of SEPA.

"We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online. We're working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals," he added.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    

Agencies SEPA is working with in continued efforts to investigate the attack and fully restore the network include the Scottish Government, Police Scotland and the National Cyber Security Centre (NCSC).

Despite the impact of the attack, SEPA is still able to provide flood forecasting and warning services, as well as regulation and monitoring services.

Stealing data and threatening to make it public if a ransom isn't paid in exchange for the decryption key has become an increasingly common tactic for the most successful ransomware gangs, with that extra leverage helping them to make millions of dollars in bitcoin per attack.

SEE: How do we stop cyber weapons from getting out of control?

In some cases, victims who have the capability to restore the network without the decryption key are still paying ransoms just to prevent hackers from leaking stolen data.

Ransomware has become one of the most disruptive and damaging cyberattacks an organisation can face and criminals show no signs of slowing down campaigns because, for now at least, ransomware gangs are still successfully extorting large payments from a significant percentage of victims.


Editorial standards