SEPA was hit by ransomware attack on Christmas Eve
Corporate plans and contracts published after organisation refused to give in to ransom demand
There’s more bad news for the Scottish Environment Protection Agency (SEPA) which was hit by a ransomware attack on Christmas Eve – a serious security breach that has continued to impact its internal systems and forced its email offline.
The Conti ransomware gang has now published 4,150 files stolen from SEPA on the dark web. Corporate plans, contracts, spreadsheets, and potentially personal information about staff, can be found amongst the haul of files now available for anybody to download with no payment required.
The malicious hackers have released the files that they stole from SEPA before unleashing their file-encrypting ransomware in frustration that the agency refused to pay any money to its extortionists.
Conti, like other notable ransomware gangs, has found that exfiltrating data from its victims and threatening to either sell it to other hackers or release it to the world increases the chance of a pay day. For that reason they, and some other ransomware gangs, run websites that publicise their latest hacks and make the stolen data available – at least for those “clients” who refuse to pay up.
Past victims of Conti have included the industrial IoT firm Advantech, which received a $14 million ransom demand from its attackers, as well as coffee machine maker De’Longi and customer information firm Ixsight Technologies.
The release of SEPA’s data is not that much of a surprise. The agency’s chief executive Terry A’Hearn has made clear in media interviews that it was not prepared to use public funds to pay money to its criminal extortionists.
That certainly isn’t the position of some ransomware victims, who have in the past been criticised by some for giving in to the demands of hackers in the hope of restoring their systems and to prevent the release of stolen data.
I don’t feel comfortable complaining too loudly about companies who decide to make the difficult decision to pay a ransom, as they may feel the only other alternative is to put their organisation, their parents, and workers’ positions in jeopardy. It’s the type of uncomfortable decision no chief executive ever wants to find themselves having to make – and it does, inevitably, encourage the criminal underworld to launch more ransomware attacks, feeding the underworld industry.
But I do admire Terry A’Hearn and his colleagues at SEPA for taking a stand, and for their clear communications with the outside world about what is going on, and the steps it is taking to harden its security.
“Sadly we’re not the first and won’t be the last national organisation targeted by likely international crime groups. We’ve said that whilst for the time being we’ve lost access to most of our systems, including things as basic as our email system, what we haven’t lost is our twelve-hundred expert staff,” said A’Hearn in a press statement. “Through their knowledge, skills and experience we’ve adapted and since day one continued to provide priority regulatory, monitoring, flood forecasting and warning services. Whilst some systems and services may be badly affected for some time, step-by-step we’re working to assess and consider how we recover. We’ll issue a broader update on service delivery and recovery early next week, with weekly updates to be clear on what those we work with can expect and how we’ll prioritise progress.”