The Scottish Environment Protection Agency (SEPA) is continuing to struggle against a ransomware attack it suffered on Christmas Eve, which it said had “significantly impacted the organisation” - including the loss of its email system.

SEPA says it has refused to pay the ransom demanded, saying it will “not engage with criminals intent on disrupting public services and extorting public funds”.

The attackers have now dumped 4,000 SEPA files (or around 1.2GB of data) they stole on the dark web for others to view.

This suggests they have given up on monetising their stash in any way.

The files include some information which was already in the public domain, said SEPA, but many other sensitive files on staff and suppliers were not.

SEPA says areas of data covered by the theft include corporate plans, priorities and change programmes; project information related to commercial work with international partners and personal information on staff.

SEPA says it is still working to recover and analyse the data locked and stolen, before contacting and supporting affected organisations and individuals “over coming days and weeks”.

The theft is subject to a live criminal investigation and SEPA is continuing to work with the Scottish Government, Police Scotland, the UK National Cyber Security Centre and cyber-security specialists.

The environmental regulator said the theft was “likely” to have been committed by “international organised cyber-crime groups”.

SEPA chief executive Terry A’Hearn said: “For the time being we’ve lost access to most of our systems, including things as basic as our email system, but what we haven’t lost is our 1,200 expert staff.

“Through their knowledge, skills and experience we’ve adapted and since day one continued to provide priority regulatory, monitoring, flood forecasting and warning services.”

He added: “Whilst some systems and services may be badly affected for some time, step-by-step we’re working to assess and consider how we recover.”

Jude McCorry, chief executive of the Scottish Business Resilience Centre, said that SEPA had been “deliberately targeted”.

With ransomware attacks, sometimes the malware used is generally unleashed on public networks in a non-targeted way - the type of attack that crippled parts of the NHS a few years ago - or more determined and skilled attackers choose the organisations they specifically want to demand ransoms from.

Share Story: