According to SEPA, an initial investigation suggests that a highly organised, international cyber-crime group is behind the attack, intending to disrupt SEPA's public services and extort public funds. The Agency's email system is still down almost a month after the initial attack, and some internal systems and external data products will remain offline in the short term.
Despite that, SEPA has adapted priority services like flood forecasting and monitoring to the situation, and they continue to operate. Many of the infected machines have been isolated, though SEPA believes entirely new systems will be required for the services to return to normal.
The cyber criminals only stole about 1.2GB of data in the ransomware attack - a tiny amount, in modern data terms. It included employee information, business and procurement data, and details of some projects.
SEPA is working with the National Cyber Security Centre (NCSC), Scottish government and Police Scotland to mitigate the attack and identify the hackers. It also says it is taking professional advice from cyber security experts for the recovery of its affected systems.
While SEPA did not discuss what form of ransomware it has been hit with, the operators behind Conti ransomware have reportedly published data they claim belongs to SEPA. Stealing confidential data from victims has become increasingly common for ransomware gangs.
In June last year, the actors behind the REvil ransomware launched an auction site, 'The Happy Blog', to sell data stolen from companies it had compromised.
The group posted samples of data belonging to Canadian firm Agromart Group, and claimed that scanned copies of Agromart's financial accounts, agreement forms and credit application, personal net worth documents and users' age records were among the data available for auction.
In March 2020, three ransomware groups - Nefilim, the CLOP and the Sekhmet - also established websites to publish the sensitive data of non-payers. Earlier this month, the operators of the Pysa (or Mespinoza) ransomware published what they claimed to be documents stolen from the Hackney Borough Council on a dark web forum.
The hackers said they were behind the October cyber attack on the Council, which disrupted its online services and left many of the systems inoperable four months ago.