Finnish prosecutors begin investigation this week Julius KiwimakiA 26-year-old Finnish man has been accused of blackmailing a once-popular but now-bankrupt online psychotherapy clinic and its thousands of patients. In a 2,200-page report, Finnish authorities laid out how they linked the ransomware spree to notorious hacker Kivimäki. Kivimäki was convicted in 2015 of committing tens of thousands of cyber crimes, including data exfiltration, payment fraud, operating botnets and deploying bombs. threaten.
In November 2022, Kivimäki was accused of trying to extort money from the company. Reception Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the account “Ransom Man” threatened to release patient psychotherapy records if Vastaamo did not pay a six-figure ransom.
Vastaamo refused, so Ransom Man turned to blackmailing individual patients – sending them targeted emails threatening to release their treatment records unless a €500 ransom was paid. When extortionists realize that direct extortion of patients has little effect, they upload a large, compressed archive containing all stolen Vastamo patient records to the dark web.
Security experts soon discovered that the ransomware had mistakenly included a complete copy of their home folder, where investigators found numerous clues pointing to Kivimäki’s involvement. By that time, Kivimäki was no longer in Finland, but the Finnish government was still absent from charging Kivimäki with the Vastamo hack. The 2,200-page document of evidence against Kivimäki shows that he lived a lavish lifestyle while on the run, frequenting luxury resorts and renting extremely expensive cars and living quarters.
But in February 2023, Kivimaki was arrested in France after French authorities responding to a domestic disturbance call found the defendant hungover and sleeping on the sofa of a woman he had met the night before. French police became suspicious when the 6-foot-3-inch, blond man with green eyes showed an identity document showing he had Romanian nationality.
A redacted copy of the identity document Kivimaki provided to French authorities, claiming he was from Romania.
Finnish prosecutors said Kivimäki’s credit card had been used to pay for a virtual server hosting stolen Vastaamo patient notes. What’s more, the home folder included in the Vastaamo patient data archive also allowed investigators to peer into other cybercrime projects of the accused, including domains that Ransom Man had access to as well as a lengthy history of commands he’d executed on the rented virtual server.
Some of the domains allegedly managed by Kivimäki were set up to discredit various companies and individuals. One of the sites, purporting to be created by the head of IT infrastructure at a major Norwegian bank, discussed the idea of decriminalizing child sexual abuse.
Another domain hosted a fake blog that tarnished the reputation of a Tulsa, Oklahoma, man whose name was attached to a story about supporting the “white pride” movement and calling for clemency in Oklahoma City bomber Timothy McVeigh’s blog post.
Kivimäki also appeared to be trying to tarnish the journalist’s reputation.The 2,200-page document shows Kivimäki owns and operates the domain Krebson Security Company[.]organizewhich hosted various hacking tools allegedly used by Kivimäki, including programs that mass-scanned the Internet for systems vulnerable to known security vulnerabilities, as well as programs used to crack database server usernames and passwords and download data library script.
Ransom inadvertently included a copy of his home directory in leaked Vastaamo patient data. The lengthy history of commands run by this user indicates that they used krebsonsecurity-dot-org to host hacking and scanning tools.
Mikko HyponenChief research officer at WithSecure (formerly F-Secure) said Finnish authorities have done an “amazing job” and “rarely have there been so many cases of cybercrime evidence.”
Petri Jarvinin A respected IT expert and author who has been following the trial, he said the prosecution’s evidence so far has been strong.
“The National Bureau of Investigation did a great job, but Mr. Kiwimaki made some stupid mistakes,” Jarvinen wrote on LinkedIn. “This sends an important message: cybercrime does not pay. Even if the police from the world It’s very tedious to collect traces from servers everywhere, and traces will be left in the digital world.”
Anti Curito is an information security expert and former criminal investigator. In 2013, Kurittu was involved in an investigation involving Kivimäki’s use of the Zbot botnet, as well as Kivimäki’s other activities as a member of the hacker group Hack the Planet (HTP). Curito said it remains to be seen whether prosecutors will be able to make their case and whether the defense will have any answers to all the evidence presented.
“Based on public pretrial investigative reports, many details of the case appear unlikely to be coincidences,” Curitu told KrebsOnSecurity. “For example, a complete copy of Vastaamo’s patient database was found on Scanifi’s servers, and the company There is no business association with Kivimäki. The contents of the leaked home folder were also connected to Kivimäki and were found on servers he controlled.”
finland daily yle.fi Kivimäki’s lawyers reportedly sought to have their client released from jail for the remainder of the trial, noting that the defendant had been detained for eight months.
The court rejected the request, saying the defendant still posed a flight risk. Kivimäki’s trial is expected to last until February 2024, in part to hear testimony from a large number of victims. Prosecutors are seeking a seven-year prison sentence for Kivimäki.
