Ransomware Attackers Try Publishing 4,000 Scottish Government Agency Files

Threatpost reports: On the heels of a ransomware attack against the Scottish Environmental Protection Agency (SEPA), attackers have now reportedly published more than 4,000 files stolen from the agency — including contracts and strategy documents.

After hitting SEPA on Christmas Eve with the attack, cybercriminals encrypted 1.2GB of information. The attack has affected SEPA's email systems, which remain offline as of Thursday, according to the agency. However, SEPA, which is Scotland's environmental regulator, stressed on Thursday that it will not "engage" with the cybercriminals. "We've been clear that we won't use public finance to pay serious and organized criminals intent on disrupting public services and extorting public funds," said SEPA chief executive Terry A'Hearn in a statement... SEPA's email and other systems remain down, and "what is now clear is that with infected systems isolated, recovery may take a significant period," according to the agency in its update. "A number of SEPA systems will remain badly affected for some time, with new systems required..."

The incident also points to ransomware actors evolving from previously destroying critical data or bringing companies' services and operations to a standstill, to now threatening to disclose sensitive data publicly, Joseph Carson, chief security scientist and Advisory CISO at Thycotic told Threatpost.

Re: Ransomware Attackers Try Publishing 4,000 Scot

[crobarcro]

Exactly downloads still zero probably

Re:

[Canberra1]

Scotland has two EDF-owned nuclear stations currently generating electricity: Hunterston B and Torness; and three Nuclear Decommissioning Authority (NDA)-owned civil nuclear sites at advanced stages of decommissioning: Dounreay, Chapelcross and Hunterston A. But who really cares anyway. Thatcher and the politicians don't care about the north. Their new Brexit slogan is 'Dilution is the solution to pollution'. Although the contaminated water does mean they speak funny, and lots of rangas.

Re:

[Teresita]

My wife's Win7 lappie got hit with ransomware once. My Linux lappies never have. Just sayin'. But good luck getting people and agencies to switch. Can't push a rope.

Re:

[Anonymous Coward]

I know this is a troll, but FWIW much of the most valuable data will be stored on Linux servers.

Re:

[vbdasc]

Should we enforce the IT staff to take the financial hit if their sloppy work led to the breach? The answer to both questions is NO, for multiple reasons.

Re:

[Narcocide]

Just tell them all to hire me instead of some jackass windows admin who personally still is running win95 for security reasons.

Re:

[Mayketor]

True, any professional worth their money will know everything about hard drive data recovery [cleverfiles.com] and will be able to fix the problem they've encountered. Just a problem of people not willing to pay for security and preferring convenience over being protected, nothing new really.

So what's new here is

[Rosco P. Coltrane]

"SEPA, which is Scotland's environmental regulator [...] SEPA's email and other systems remain down"

Before the hack, you'd send them an email, the system would mail back a reception acknowledgment, and then nobody would get back to you. Now you don't even get the acknowledgment anymore.

Worst ransom attack ever

[nagora]

Not even the Scottish Environmental Protection Agency cares about the contents of the Scottish Environmental Protection Agency's files.

Re:

[HiThere]

He's never heard of wget.

Compliments

[xonen]

I compliment the agency for doing the right thing, and i'm glad that apparently they don't have such significant secrets that they would want to cover up, but instead consider just as a massive 'freedom of information' request.

Says something about them. Wish more governmental institutes were like that.

If its not Scottish agent files..

[zawarski]

..its crap!

Ransom or blackmail?

[misnohmer]

Ok, so according to the summary, the attackers encrypted 1.2GB of data, asked for ransom to decrypt it, but upon not receiving the ransom they decrypted it themselves and published it. If it was ransom attack, why give back the decrypted data anyways? If it was a blackmail situation, why bother encrypting the data in the first place? Or was it just a case of pissed off ransomeware attackers wanting to get back at the non-paying victim?

Re:

[ZiggyZiggyZig]

Criminals are dumb, news at 11

Expectations of a Ransomware Strategy

[ytene]

Like it or not, "Ransomware" is a thing now.

We all know that computer systems contain vulnerabilities and that malicious actors can exploit those vulnerabilities to "do stuff". Since "Ransomware" now falls within that general umbrella definition of "stuff", the attack on SEPA's computer systems should surprise nobody, least of all SEPA.

In order for an individual or an organization to fall victim to this sort of ransomware, it is first necessary for three broad issues to be present in the organization. The first is self-evident - likely someone inside the organization has to carelessly click a link, browse an insecure web site with an inadequately protected browser, or open an attachment that they do not recognize. This is the trigger event that has to happen before the organization can fall victim. Typically, this risk is addressed with user training, although the quality and effectiveness of this is variable.

The second failure within the organization that is required for malware like this to be effective is that the technical infrastructure of the organization has to be vulnerable to exploit. This could mean a wide range of things, from whether or not the IT department performs patching, to keep known vulnerabilities off the network; or it could mean the intelligent and thoughtful use of technology protection solutions:- anti-malware agents on desktops; the use of micro-virtualization services for browsers and all file attachments; the presence of Intrusion Detection Systems [IDS] on file share servers [which can detect if malware running on a workstation is iterating through a document library, altering the file size and/or hash value of individual files]; the use of containerization or detonation chambers to test suspicious or un-trusted code or files.

The third failure of the organization concerns the availability of effective operational backup practices. Unfortunately, the human cost of supporting technology means that in too many organizations we tend to rely on fully automated solutions that combine some form of backup and recovery suite software with disk-to-disk data replication (and/or we leverage remotely mirrored disks, with RAID arrays being mirrored and synchronously replicated across between physically separated locations). The problem with disk-to-disk data mirroring is that in many cases the destination location is visible on the network - which means it is visible to malware and just as vulnerable as the primary source.

So, unfortunately, none of these can provide assured protection against the more advanced strains of "submarine malware"... In this version, the malware doesn't start encrypting your entire document library at the get-go. Instead, it installs an "encryption shim" between your office software and the files on disk, silently encrypting every file that you write and then decrypting it if you open it again. it does this so that you don't notice that it is present, giving it the chance to corrupt more and more of your data. And best of all, it knows these are files you need, because you are opening them and working on them now. These are current data, not old or obsolete documents. After a pre-determined period of time, the malware destroys it's decryption keys and locks you out of your data.

But the scenario I describe here is now thoroughly understood, not just by anti-malware vendors, but by organizations too. There can literally be NO EXCUSE for falling foul of crypto-malware. If you are a technologist and you haven't implemented [and tested and validated] protective measures against crypto-malware, then, to be a bit blunt about it, what do you expect? OK, this would be an entirely unfair challenge to direct at an average home user... but SEPA? Surely the Scottish Government has someone that provides cyber advice to departments? Surely that person has developed, implemented and tested a strategy to protect that government from crypto-malware? Surely SEPA has been independently tested to show that their practices are ad

Government Data = Public Domain

[Tokolosh]

All information in a government's possession should be freely available to taxpayers. If the information is too secret or sensitive, then the government should not have it in the first place.

See if you can find an exception.

Re:

[HiThere]

Sorry, but that's way to broad. I'll grant that governments are usually insanely restrictive, but there ARE files that shouldn't be released. Say your bank account / credit card numbers. And they NEED to be able to audit the banks. (That they don't do it often enough, I'll agree.)

Re:

[Tokolosh]

And why should your band and credit card information not be released? What is the harm? And does it have to be the Government auditing the banks?

You say things as if they are the received truth, but I want real reasons.

Janet Yellen says we are not allowed to transact outside the "Financial System". Does that have something to do with it?

Re:

[Anonymous Coward]

OK, post your full credit card details, name, number, start/expiry, CCV, registered address right here, right now.
We'll be waiting.
(No we won't, because you're a moron and a liar).

Re:

[HiThere]

You may be overreacting. I read that as satire.

Re:Government Data = Public Domain

[Nkwe]

All information in a government's possession should be freely available to taxpayers. If the information is too secret or sensitive, then the government should not have it in the first place.

See if you can find an exception.

Tax returns

Medical records

Individually identifiable census data

In progress criminal investigations

Detailed information about intelligence operatives

Classified information that actually does need to be classified

Re:

[Tokolosh]

Tax returns
The Donald

Medical records
Why does the government have them?

Individually identifiable census data
Why does the government have it?

In progress criminal investigations
I am ok with the judge sealing the warrant for a limited time.

Detailed information about intelligence operatives
What of value will be lost?

Classified information that actually does need to be classified
Example? Either it should not exist, or it sh

Re:

[Nkwe]

Tax returns

The Donald

Tax returns contain a lot of private information that can be implied such as who you worship, your political affiliation, your orientation, etc. It is not for the government to release such information. In the case of The Donald, it is for him to decide. Historically, presidential candidates (at least here in the US) have voluntarily released their own tax returns. Failure to do so impacts public sentiment. The election was pretty close. If Mr. Trump had released his returns it might have tipped the scales

Re:

[ytene]

On the subject of Presidential tax returns... I think you may have missed the most important reason that prospective candidates have historically disclosed their returns.

This has been done to allow the candidate to show their honesty and integrity and to show that they are not beholden to others, or to put it another way, to show that they are free from the risks of coercion or bribery.

In the case of Donald Trump, he publicly said before he was elected that he loved debt, that he loved to be thought o