Cyber criminals demand ransom to unlock Sepa systems

The environmental regulator Sepa says criminals are demanding a ransom to unlock its digital systems which have been subjected to a cyber attack since Christmas Eve.

It said international groups were likely to be behind the ransomware attack that has locked its emails and contacts centre.

More than 1GB of data has been stolen, including information about staff.

Police Scotland and the National Cyber Security Centre are investigating.

Cyber security specialists have identified the theft of about 1.2 GB of data with indications suggesting that at least 4,000 files may have been accessed and stolen.

The company's internal communications have also been locked but but Sepa said "priority regulatory, monitoring, flood forecasting and warning services were continuing to adapt and operate".

Sepa (Scottish Environment Protection Agency) said a number of systems, including email, would remain badly affected for some time and it was likely that new systems would have to be built from scratch.

Information submitted to Sepa by email since Christmas Eve is not currently accessible.

This has been an incredibly sophisticated attack on Scotland's environmental regulator which has locked their IT systems and crippled them now for three weeks.

We know that the cyber criminals have been in touch demanding money but it seems unlikely they will succeed.

There's no suggestion climate change activism is at the heart of this ransomware attack, even though it's the environmental regulator being targeted.

The hack has all the hallmarks of Russian organised cyber criminals - although Sepa will not confirm that.

Critical services like flood forecasting are unaffected but entire systems will have to be rebuilt and it's unlikely the 1,300 workers will be able to get access to their old emails and online files.

The agency confirmed last week that following the attack at 00:01 on Christmas Eve, business continuity arrangements were immediately enacted and the agency's emergency management team was working with Scottish government, Police Scotland and the National Cyber Security Centre to respond to "complex and sophisticated criminality".

Sepa's chief executive Terry A'Hearn said: "Partners have confirmed that Sepa remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.

"Work continues by cyber security specialists to seek to identify what the stolen data was. Whilst we don't know and may never know the full detail of the 1.2 GB of information stolen, what we know is that early indications suggest that the theft of information related to a number of business areas.

"Some of the information stolen will have been publicly available, whilst some will not have been."

He said direct contact would be made as quickly as possible with affected organisations.

Mr A'Hearn added that staff members affected were being supported and given access to specialist advice and services.

Det Insp Michael McCullagh, of Police Scotland's cybercrime investigations unit, said: "This remains an ongoing investigation. Police Scotland are working closely with Sepa and our partners at Scottish government and the wider UK law enforcement community to investigate and provide support in response to this incident.

"Inquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response.

"It would be inappropriate to provide more specific detail of investigations at this time."