Cyber criminals publish more than 4,000 stolen Sepa files

Cyber criminals who stole thousands of digital files belonging to environmental regulator Sepa have published them on the internet.

The public body had about 1.2GB of data stolen from its digital systems on Christmas Eve.

Sepa rejected a ransom demand for the attack, which has been claimed by the international Conti ransomware group.

Contracts, strategy documents and databases are among the 4,000 files released.

The data has been put on the dark web – a part of the internet associated with criminality and only accessible through specialised software.

Sepa chief executive Terry A’Hearn said: “We’ve been clear that we won’t use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds.

“We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online.

“We’re working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals.”

• What is ransomware?
• Cyber criminals demand ransom to unlock Sepa systems

The attack locked Sepa’s emails and contacts centre but Sepa said “priority regulatory, monitoring, flood forecasting and warning services were continuing to adapt and operate”.

Sepa said the theft was the equivalent to a fraction of the contents of an average laptop hard drive.

Some of the information stolen was already publicly available but other files included data about staff and suppliers was not.

Where information has been identified to date, staff have been contacted and are being supported.

‘Serve as a warning to future victims’

Brett Callow, of cyber security company Emsisoft, has been tracking the Sepa ransomware attack.

He said: “Conti may well be the work of the same people behind another type of ransomware called Ryuk.

“There are similarities in the code, ransom note and attack mechanisms.

“When the complete haul of data is posted like this, it usually means the group has given up hope of being able to extract payment from the victim of monetise the data in other ways.

“It’s a loss for them. At this point, they’ve lost all leverage and the action is intended to serve as a warning to future victims.”

Det Insp Michael McCullagh, of Police Scotland’s cybercrime investigations unit, said: “This remains an ongoing investigation.

“Inquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response.”

The authorities will be pleased.

It looks like Sepa decided not to play ball with the cyber criminals.

Ransomware is a scourge that is costing organisations billions of pounds and every time a victim pays, it fuels further attacks.

Sadly for Sepa this is far from over.

By the looks of the stash of files that the hackers stole and encrypted, Sepa will have months of work ahead to try to recover important documents and spreadsheets from backups and rebuild their records.

It’s also telling that, according to the hackers website, almost 1,000 people have so far looked at the documents.

Who knows what other criminals or hackers are poring over the files right now.

Making the documents open to all means that information can be extracted to potentially be used against Sepa in further attacks or extortion attempts.

It will be months, perhaps even years until the organisation can say it is safe once more and can put this cyber attack behind it.