“Your psychiatric patient records will be published unless you pay me €500 in cryptocurrency within 48 hours”. 1% of the Finnish population received this demand within the last two weeks.
Multiple potentially unrelated hackers have gained access to ‘Vastaamo’ psychotherapy centres which treated more than 50.000 patients primarily in Oulu and Tampere. The hackers exploited a security breach of 2018 and early 2019 which seems to not have been extensively reported to authorities or the general public.
Individuals’ deeply intimate psychotherapeutic records became ammunition to blackmail and extract funds from both the hospital management and patients. An internal investigation, which is still in progress, found deficiencies in information security. This led to the Board of Directors terminating the CEO of Vastaamo Ville Tapio. The Vastaamo hack makes the attack the biggest hacking including ransom demand targeting a medical facility.
For sometime It has been unclear whether or not the treatment center paid the ransom. There has been a claim on Reddit that Vastaamo management has paid the ransom, which they didn’t.
Users claimed In a thread called “Slightly interesting: The office seems to have paid the ransom” was provided along with a bitcoin address of the supposed ransomer, 37czPDZbsG8S8nmf85D5XN7D9HfFF3T3ia User indicated a cryptocurrency wallet address 37czPDZbsG8S8nmf85D5XN7D9HfFF3T3ia that has moved 40 BTC (the ransom amount) in a similar time period to when the extortion was made public. The author’s internal investigation concluded that this address is being associated with the platform FTX. The funds of 40 BTC arrived at the FTX associated wallet from a provider called Deribit.
According to the best knowledge and abilities of the author those platforms have not been connected to this ransom request and those funds are not related to the case or simply this claim is fake news.
As of today, patients have been threatened with blackmail unless they paid about €500 to a unique cryptocurrency wallet and sent a confirmation email to the hackers.
Cybersecurity companies have joined forces with Blockchain analytics providers to trace and identify the suspects. The individual or group of individuals who claim to be responsible for this data extraction, have been unusually vocal about it on a deep web forum. They used a Darknet forum to release more than 300 individual patient records to the general public and threatened to release more in case patients would not pay the ransom.
“This case upsets me as a human being because it is morally wrong to target members of the society who require psychological support. We engaged with the investigation at an early stage. For now, we have created a landing page where ransomware victims can share with us information as well as which cryptocurrency wallet address they have been asked to send the money to. We can not release much due to the case being under investigation but we have clusters, indications and won’t rest until the funds will be traced and those responsible punished’ –
Sven Martinsson, CEO, Valega Chain Analytics
A Finnish cryptocurrency broker has identified and stopped payments
The hackers have used a ‘cryptocurrency deposit provider’ that sends notifications once funds are received to keep track of more than 50.000 payments. Furthermore, the hackers have suggested using the cryptocurrency exchange provider called Bittiraha to conduct the payment. The provider itself has been able to spot ransom payment attempts, block significant amounts of payments and send the money back to the victims. They also collected the cryptocurrency wallet addresses provided by the scammer.
Experience from recent hacks shows that the likelihood of recovering funds increases when victims provide the attacker’s cryptocurrency wallet addresses and allow companies to systematically trace back the hackers.
The hacker claims to be a member of a larger but undisclosed organized group that regularly steals data for the purpose of extracting ransom payments. The delay between the security breach in 2018 and the blackmail attempts that surfaced more than two years later on October 21th 2020, has been explained with their’ ‘heavy workload’ and the fact that it took the group a while to decode Finnish documents and understand their value.
It remains unclear whether the hacker worked individually or if there have been different hackers involved at different stages of the attack. A member of law enforcement (personal details remain with the author) that works closely to the investigation, indicated that there is a high possibility that there have been multiple hackers involved in this case. Potentially one individual accessed the systems to extract the data, a second one bought the database and demanded ransom from the management and a third one used the same database to extort ransom from the patients. There is also a suspicion that different hackers were piggy-backing on each other’s data. The complexity of this case has made it a candidate for future textbooks and case studies.
The hackers have posted on Darknet forums using the English language and have requested help from users with translating emails from English to Finnish. As victims received emails in Finnish which were personalized to the receivers’ gender-based on decoding the Finnish social security number. This indicates that the hackers likely had a Finnish speaking accomplice, at the least.
A history of data breaches at Vastaamo
Data breaches seem to be nothing new to Vastaamo management as they happened multiple times in the past. It is likely that the company knew about the leak but didn’t notify patients or the general public to take countermeasures until lately.
“Extensive cooperation of law enforcement agents with Blockchain analysis companies, Europol and Cybercrime centers allows us to build effective tools for the prosecution of cybercrime. It is crucial to alert us as soon as possible. It is up to my Finnish colleagues to judge, but it seems like the period between the discovery of the data breach to the time when the Cybersecurity Center has been alerted could most probably have been shorter. We can’t help the victim, or others from becoming victims when we are kept in the dark!’
Jan Olsson, Police Superintendent, Swedish Cybercrime Center SC3
After the second data breach in 2019 ‘Vastaamo’ launched an internal investigation with the Finish Cybersecurity provider Nixu, what remains not been disclosed yet.
Hacker releases the full data by accident
It is not yet known what the full scope of the leaked data is. For a few hours, the hackers made a large file with more than 10 GB of data available instead of a file limited to the data of the 300 patients mentioned in the threat. Due to very slow download speeds on the Tor network, it seems that nobody was able to download the file before the hackers discovered the mistake and removed the file. The mistake could have easily stopped the hackers from achieving their objective as they wouldn’t be able to use the release of data as a threat to extract funds from individuals.
The hackers have claimed that the patient data is currently stored on a public server with easily identifiable default root passwords. In case this is true, this should ring the alarm bells of all health care providers as very little specialized knowledge would be needed to access the data.
“For years, the assumption has been that for-profit online criminals are not targeting health facilities, as they are going after financial targets instead. This has now changed. Before the internet revolution, protecting health information was simple as it was on paper. Now health information is data, and we need to be able to protect it for years, for decades.”
Mikko Hypponen – Chief Research Officer, F-Secure
Unfortunately, despite an extensive investigation and discussion of the case in the Finnish parliament, this story may have another unfortunate twist in the future, harming victims even more.
Not only health records, but also social security numbers have been released, which can lead to a potential wave of identity theft and fraud. There is a possibility that other fraudsters may try to purchase gift cards or other items of low value using the social security number, address and personal information of victims using providers such as Klarna.
Klarna has already released a statement offering victims to block all purchases – a small step into a right direction. As the data already leaked and is publicly available, it is important to act now to prevent further damage, rather than wait for another lengthy investigation by the Finnish parliament that will be too little, too late.
As the case remains under investigation by the Finnish Cyber Security Center, the Finnish National Supervisory Authority for Welfare and Health, and the Data Protection Commissioner some details available to the author of this article have not been released to not jeopardize the progress of the investigation.
For transparency purposes:
The contributor of this post is a Head of Compliance in one of the leading Cryptocurrency Exchanges in the Nordics called ‘Safello’. He serves as a board advisor to Valega Chain whose team has launched an investigation on his request.