The Scottish Environmental Protection Agency has revealed that it was struck by a ransomware attack on Christmas Eve that shut down its internal networks.

The form of the ransomware attack was not disclosed, but the attack was detected at 12:01 a.m. Dec. 24. According to the agency, it affected its contact center, internal systems, processes and internal communications.

SEPA described the attack as “likely to be by international serious and organized cyber-crime groups intent on disrupting public services and extorting public funds.” The agency’s email system are still down with some internal systems and external data products remaining offline.

The BBC reported late last week that “this has been an incredibly sophisticated attack on Scotland’s environmental regulator which has locked their IT systems and crippled them now for three weeks.” It’s a convoluted way of saying they were struck by ransomware and didn’t have adequate backups to restore their systems. The BBC also said the attack has “all the hallmarks of Russian organized cybercriminals.”

SEPA itself ticked off the list of how to respond to a ransomware attack, such as hiring cybersecurity experts to analyze the attack and contacting police. Where it slightly differs is that the agency set five priorities in response to the ransomware attack, including “protecting Scotland’s environment.”

SEPA also disclosed that they believe 1.2GB of data was stolen in the attack which they try to dismiss as “the equivalent to a small fraction of the contents of an average laptop hard drive.” The data stolen includes business information, procurement information, project information and employee data.

That data was stolen became typical in ransomware attacks in the second half of 2020. S0-called “double-tap” ransomware has come to the fore, with ransomware gangs no longer content with simply trying to extort companies and organizations by encrypting their files. They’re also stealing data and threatening to publish the stolen data if the ransom isn’t paid.

One example of a double-tap ransomware attack was one that targeted Kmart Corp. in December. In that case, the Egregor ransomware gang gave Kmart 72 hours to contact it before releasing stolen data on its website “Egregor News.”

Image: SEPA