{ "id": "24c0fa6e-63c1-4409-8d35-c42d728630dc", "created_at": "2026-04-06T00:08:07.24213Z", "updated_at": "2026-04-10T03:30:57.008424Z", "deleted_at": null, "sha1_hash": "6aa6ff28e5a29e6e5df6b03fa2f75ad2212ddd22", "title": "Scottish Environment Protection Agency refuses to pay ransomware crooks over 1.2GB of stolen data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37058, "plain_text": "Scottish Environment Protection Agency refuses to pay\r\nransomware crooks over 1.2GB of stolen data\r\nBy Paul Kunert\r\nPublished: 2021-01-18 · Archived: 2026-04-05 13:49:55 UTC\r\nScotland's environmental watchdog has confirmed it is dealing with an \"ongoing ransomware attack\" likely\r\nmasterminded by international \"serious and organised\" criminals during the last week of 2020.\r\n\"On Christmas Eve, the Scottish Environmental Protection Agency (SEPA) confirmed that it was responding to a\r\nsignificant cyber-attack affecting its contact centre, internal systems, processes and internal communications,\" it\r\nrevealed.\r\nEfforts to respond to the assault continue at the agency, which probes allegations of land, water and air pollution,\r\nand the \"matter is subject to a live criminal investigation and the duty of confidence is embedded in law,\" it said.\r\nSome \"internal systems and external data products\" remain offline as the investigation proceeds but the priority\r\nregulatory, monitoring, flood forecasting and warning services \"are adapting and continue to operate,\" SEPA\r\nadded.\r\nStaff schedules, some specialist reporting tools, systems and database are down and out, potentially for a\r\n\"protracted period\". Contact centres and web help services are being gradually restored, and regulatory teams are\r\nfocusing on the most important workloads.\r\nCertain systems have been \"isolated\" but SEPA warned that security experts working with the Scottish\r\ngovernment, Police Scotland and the National Cyber Security Centre \"confirm we remain subject to an ongoing\r\nransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting\r\npublic services and extorting public funds.\"\r\nIt is now clear that \"recovery may take a significant period\" and a \"number of SEPA systems will remain badly\r\naffected for some time, with new systems required\".\r\nSo what's been pinched? Security specialists going over the attack and its impact have so far identified a loss of\r\naround 1.2GB worth of data, an indication that \"at least four thousand files may have been accessed and stolen by\r\ncriminals\", SEPA said.\r\n\"Whilst we don't know and may never know the full detail of the 1.2GB of information stolen, what we know is\r\nthat early indications suggest that the theft of information related to a number of business areas,\" it added.\r\nThis was said to include publicly available regulated site permits; authorisation and enforcement notices; some\r\nSEPA corporate plans; project data involving procurement awards; project information connected to commercial\r\nwork with international partners; and staff information – though \"limited sensitive data was accessed\".\r\nhttps://www.theregister.com/2021/01/18/scottish_environment_protection_agency_refuses_to_pay_ransom/\r\nPage 1 of 2\n\nSEPA has yet to identify the crew behind the attack but, according to Bank Info Security, the Conti ransomware\r\ngang appears to have published the data stolen.\r\nBrett Callow, a threat researcher with Emsisoft, told The Register: \"Conti may well be operated by the group\r\nresponsible for Ryuk. There are similarities in code, note and distribution mechanisms. Additionally, Conti\r\nemerged during a period of decreased Ryuk activity, which also suggested that it may be a successor for Ryuk.\r\nThat said, there has since been an uptick in Ryuk activity, with no corresponding decrease in Conti activity which\r\ncould, perhaps, indicate the group has splintered.\"\r\nSEPA CEO Terry A'Hearn said the agency will not pay.\r\n\"We won't be using public funds to pay ransom to criminals. This has commonly happened to other organisations,\r\nso we are following the experience that others have had, the advice from the police. We will recover our ability to\r\nhave data and systems, that may take some time but others have been through this,\" he told BBC Scotland.\r\n\"We will not be using public funds to pay ransom. We are already in the first three weeks re-establishing our\r\nability to carry out our critical services, and over the next few weeks and months we will continue to do that so\r\nthat we can protect the environment.\" ®\r\nSource: https://www.theregister.com/2021/01/18/scottish_environment_protection_agency_refuses_to_pay_ransom/\r\nhttps://www.theregister.com/2021/01/18/scottish_environment_protection_agency_refuses_to_pay_ransom/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.theregister.com/2021/01/18/scottish_environment_protection_agency_refuses_to_pay_ransom/" ], "report_names": [ "scottish_environment_protection_agency_refuses_to_pay_ransom" ], "threat_actors": [ { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434087, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6aa6ff28e5a29e6e5df6b03fa2f75ad2212ddd22.pdf", "text": "https://archive.orkl.eu/6aa6ff28e5a29e6e5df6b03fa2f75ad2212ddd22.txt", "img": "https://archive.orkl.eu/6aa6ff28e5a29e6e5df6b03fa2f75ad2212ddd22.jpg" } }