The Scottish Environment Protection Agency (SEPA) has confirmed it is “continuing to respond to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups.”

SEPA’s CEO said it remains subject to an ongoing attack likely to be the work of groups “intent on disrupting public services and extorting public funds.”

SEPA first reported the attack on December 24.

The agency also confirmed the theft of 1.2 GB of data and said four thousand files may have been accessed and stolen by criminals.

“The matter is subject to a live criminal investigation and the duty of confidence is embedded in law,” said SEPA.

“The agency confirmed last week that following the attack at 00:01 Hrs on Christmas Eve, business continuity arrangements were immediately enacted and the agency’s emergency management team was working with Scottish Government, Police Scotland and the National Cyber Security Centre to respond to what is complex and sophisticated criminality.

“SEPA’s approach continues to be to take the best professional advice from the multi-agency partners, including Police Scotland and cyber security experts, to support its response.

“The agency advised that, for the time being, it needed to protect the criminal investigation and its systems.

“Consequently some internal systems and external data products will remain offline in the short term.

“Priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.”

SEPA CEO Terry A’Hearn said: “Whilst having moved quickly to isolate our systems, cyber security specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre have now confirmed the significance of the ongoing incident.

“Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.”

SEPA added: “What is now clear is that with infected systems isolated, recovery may take a significant period.

“A number of SEPA systems will remain badly affected for some time, with new systems required.

“Email systems remain impacted and offline.

“Information submitted to SEPA by email since Christmas Eve is not currently accessible and whilst online pollution and enquiry reporting has now been restored, information submitted in the early stages of the attack is currently not accessible.”

A’Hearn added: “We have prioritised our legal obligations and duty of care on the sensitive handling of data very seriously … which is why we have worked closely with Police Scotland, Scottish Government, the National Cyber Security Centre and specialist cyber security professionals day and night since Christmas Eve.

“Work continues by cyber security specialists to seek to identify what the stolen data was.

“Whilst we don’t know and may never know the full detail of the 1.2 GB of information stolen, what we know is that early indications suggest that the theft of information related to a number of business areas.

“Some of the information stolen will have been publicly available, whilst some will not have been.”