April 5, 2021

Ransom Hackers In Finland Are Using Psychotherapy Medical Records As Ammunition

“Your psychotherapy patient records will be published unless you pay me €500 in cryptocurrency within 48 hours”. A little less than 1% of the Finnish population received this demand within the last two weeks. Multiple potentially unrelated individuals have gained access to ‘Vastaamo’ psychotherapy centres which treated around 40.000 patients primarily in Oulu and Tampere. The hackers exploited a security breach of 2018 and early 2019 which seems to not have been extensively reported to authorities or the general public.

This article was first published on Forbes.

“Your psychotherapy patient records will be published unless you pay me €500 in cryptocurrency within 48 hours”. A little less than 1% of the Finnish population received this demand within the last two weeks.  

Multiple potentially unrelated individuals have gained access to ‘Vastaamo’ psychotherapy centres which treated around 40.000 patients primarily in Oulu and Tampere. The hackers exploited a security breach of 2018 and early 2019 which seems to not have been extensively reported to authorities or the general public.

Individuals' deeply intimate psychotherapeutic records became ammunition to blackmail and extract funds from both the hospital management and patients. Companies internal investigation, which is still in progress, found deficiencies in information security. This led to the Board of Directors terminating the CEO of Vastaamo Ville Tapio. The Vastaamo hack makes the attack the biggest ransom demand targeting a medical facility.

The hacker claims to be a member of a larger but undisclosed organized group that regularly steals data for the purpose of extracting ransom payments. The delay between the security breach in 2018 and the blackmail attempts that surfaced more than two years later on October 21th 2020, has been explained with their’ ‘heavy workload’ and the fact that it took the group a while to decode Finnish documents and understand their value.

For sometime It has been unclear whether or not the treatment center paid the ransom. There has been a claim on Reddit that Vastaamo management has paid the ransom - which they claim that they didn’t.

Users claimed In a thread called “Slightly interesting: The office seems to have paid the ransom” was provided along with a bitcoin address of the supposed ransomer, 37czPDZbsG8S8nmf85D5XN7D9HfFF3T3ia User indicated a cryptocurrency wallet address 37czPDZbsG8S8nmf85D5XN7D9HfFF3T3ia that has moved 40 BTC (the ransom amount demanded from the management) in a similar time period to when the extortion was made public. The author's internal investigation concluded that this address is being associated with the platform FTX. The funds of 40 BTC arrived at the FTX associated wallet from a provider called Deribit.

According to the best knowledge and abilities of the author those platforms have not been connected to this ransom request and those funds are not related to the case or simply - this claim is fake news.

As of today, patients have been threatened with blackmail unless they paid about up tp €500 to a unique cryptocurrency wallet and sent a confirmation email to a dedicated address.

Printscreen from a cryptocurrency wallet address from Twitter
One of the wallet addresses indicated by the Hacker to a victim of the Vestamo Hack HTTPS://TWITTER.COM/NULLLZERO/STATUS/1319261140791283713

The hackers have used a ‘cryptocurrency deposit provider’ that sends notifications to the attackers once funds are received to keep track of thousands of desired payments.

In the meantime cybersecurity companies have joined forces with blockchain analytics providers to trace and identify the suspects. The individual or group of individuals who claim to be responsible for this data extraction, have been unusually vocal about it on a deep web forum, which they used to release more than 300 individual patient records to the general public and threatened to release more in case patients would not pay the ransom.

“This case upsets me as a human being because it is morally wrong to target members of the society who require psychological support. For now, we have created a landing page where ransomware victims can share with us information as well as which cryptocurrency wallet address they have been asked to send the money to. We can not release much due to the case being under investigation but we have clusters, indications and won’t rest until the funds will be traced and those responsible punished’ - Sven Martinsson, CEO, Valega Chain Analytics

A Finnish cryptocurrency broker has identified and stopped payments

In the emails the attackers have suggested using the cryptocurrency exchange provider called Bittiraha to conduct the payment. The provider itself has been able to spot ransom payment attempts, block significant amounts of payments and send the money back to the victims as Vestamo, doesn’t recommend to pay the ransom on their official website. Despite the refunds the platform has been able to collect the cryptocurrency wallet addresses provided by the scammer that might be used for further investigation. Experience from recent Twitter hacks shows that the likelihood of recovering funds increases when victims provide the attacker’s cryptocurrency wallet addresses and allow companies to systematically trace it back.

It remains unclear whether the hacker worked individually or if there have been different individuals involved at different stages of the attack. A member of law enforcement (personal details remain with the author) that works closely to the investigation, indicated that there is a high possibility that there have been multiple participants involved in this case. Potentially one individual accessed the systems to extract the data back in 2018 or 2019 a second one received access to the database as well as demanded ransom from the management. The third used the same database to try extort ransom from the patients. There is also a suspicion that different hackers were piggy-backing on each other’s data.

One indication for cooperation has been a post on Darknet in English and requesting help from users with translating emails from English to Finnish. As victims received emails in Finnish which were personalized to the receivers’ gender-based on decoding the Finnish social security number. This indicates a Finnish speaking accomplice, at the least.

Finish speaking email sent to the victims from the Hacker
Example of a ransom email sent in Finnish to the patients of Vastaamo HTTPS://TWITTER.COM/NULLLZERO/STATUS/1320082821512298496

A history of data breaches at Vastaamo

Data breaches seem to be nothing new to Vastaamo management as they happened multiple times in the past. It is likely that the company knew about the leak but didn’t notify patients or the general public extensively enough to take countermeasures until lately.  

“Extensive cooperation of law enforcement agents with Blockchain analysis companies, Europol and Cybercrime centers allows us to build effective tools for the prosecution of cybercrime. It is crucial to alert us as soon as possible. It is up to my Finnish colleagues to judge, but it seems like the period between the discovery of the data breach to the time when the Cybersecurity Center has been alerted could most probably have been shorter. We can’t help the victim, or others from becoming victims when we are kept in the dark!’

Jan Olsson, Police Superintendent, Swedish Cybercrime Center SC3

After the second data breach in 2019 ‘Vastaamo’ launched an internal investigation with the Finish Cybersecurity provider Nixu, what has not been disclosed yet.

Hacker releases the full data by accident

It is not yet known what the full scope of the leaked data is, so the amount of affected individuals might yet not be certain. However for a few morning hours the hackers made a large file with more than 10 GB of data available instead of a file limited to the data of the 300+ patients mentioned in the threat. This is believed to be done by mistake while uploading a wrong file to its server.

Due to very slow download speeds on the Tor network, it seems that no source was able to download the full file before the hackers discovered the mistake, while removing it.

The mistake could not only expose the full scope of available data, but be costly for the attackers. As releasing the data would lead to individuals not being willing to pay the ransom.

While bragging about the way of accessing the data on the Darkweb, the crackers have claimed that the patient data has been previously stored on a public server with easily identifiable default root passwords. In case this is true, this should ring the alarm bells of all health care providers as very little specialized knowledge would be needed to access the data.

"For years, the assumption has been that for-profit online criminals are not targeting health facilities, as they are going after financial targets instead. This has now changed. Before the internet revolution, protecting health information was simple as it was on paper. Now health information is data, and we need to be able to protect it for years, for decades.”

Mikko Hypponen - Chief Research Officer, F-Secure

Unfortunately, despite an extensive investigation and discussion of the case in the Finnish parliament, this story may have another unfortunate twist in the future, harming victims even more.

Not only health records, but also social security numbers, addresses, emails and phone numbers have been released, which can lead to a potential wave of identity theft and fraud. There is a possibility that other fraudsters may try to use the data to purchase gift cards or other items of low value using the social security number, address and personal information of victims using Buy-now-Pay-later providers.

Klarna has already released a statement offering victims to block all purchases - a small step into a right direction. As the data already leaked and is publicly available, it is important to act now to prevent further damage, rather than wait for another lengthy investigation by the Finnish parliament that will be too little, too late.

Final notes:

As the case remains under investigation by the Finnish Cyber ​​Security Center, the Finnish National Supervisory Authority for Welfare and Health, and the Data Protection Commissioner some details available to the author of this article have not been released to not jeopardize the progress of the investigation.

For transparency purposes:

The contributor of this post is a Head of Compliance in one of the leading Cryptocurrency Exchanges in the Nordics called ‘Safello’. He serves as a board advisor to Valega Chain whose team has launched an investigation on his request.

Related Posts

subscribe For Updates

Sign up to be informed of new publications & Fintech insights

I occasionally share new reports and research as well as curated industry insights on my mailing list. SIgn up to be one of the first to receive updates.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.