A 26-year-old Finnish man was sentenced today to more than six years in prison after being convicted of hacking an online psychotherapy clinic, leaking tens of thousands of patient treatment records and trying to blackmail the clinic and patients.
October 21, 2020 Reception Psychotherapy Center In Finland, a perpetrator known as “ransom_man” became the target of blackmail after demanding a payment of 40 Bitcoins (approximately €450,000 at the time) in exchange for a promise not to publish Vastaamo’s highly sensitive treatment records that were exposed online .
Ransom_man announced on the dark web that he will start publishing 100 patient files every 24 hours. When Vastamo refused to pay, the ransomers turned to extorting individual patients. According to Finnish police, around 22,000 victims have reported personal extortion attempts, with targeted emails threatening to publish their treatment notes online unless a ransom of 500 euros is paid.
Finnish prosecutors quickly identified the suspect: Julius “Zekiel” Kiwimaki, a notorious criminal hacker who was convicted of tens of thousands of cyber crimes before reaching adulthood. In October 2022, Kivimäki fled the country after being accused of committing the attack. He was arrested four months later in France and went into hiding under an assumed name and passport.
Anti Curito is a former criminal investigator who was involved in an investigation involving Kivimäki’s use of the Zbot botnet, as well as Kivimäki’s other activities as a member of the hacker group Hack the Planet (HTP).
Curitu said prosecutors asked for a minimum sentence of seven years in prison, and the final sentence was six years and three months. Kuritu said prosecutors agreed to reduce Kivimaki’s sentence by several months because he agreed to pay restitution to the victims and that Kivimaki would remain in prison during any appeals process.
“I think, knowing the Finnish justice system, the sentence is as expected,” Kuritu told KrebsOnSecurity. “Since Kivimäki has not been given a non-suspended sentence in the past five years, he will still be considered a first offender despite his previous convictions. “
But because juvenile convictions in Finland do not count toward determining whether someone is a first-time offender, Kivimäki will end up serving about half of his sentence.
“Given the seriousness of his actions and the life-changing consequences for thousands of people, this may seem like a short sentence, but it is nearly the maximum penalty allowed by the law,” Curitu said.
Kivimäki initially gained notoriety by claiming to be a member of Lizard Squad, a group of low-skilled hackers who specialize in DDoS attacks. But U.S. and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to what would become a founding member of HTP.
Finnish police said Kivimäki also used nicknames such as “Ryan,” “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of the rival hacker group LulzSec and was jailed for hacking).
Kivimäki and other HTP members participated in large-scale breaches of web servers by exploiting known vulnerabilities, and by 2012, Kivimäki’s pseudonym Ryan Cleary was selling access to these servers as a DDoS rental service. Kivimäki was 15 years old at the time.
In 2013, investigators examining equipment seized from Kivimäki discovered that computer code had been used to exploit previously unknown vulnerabilities to compromise more than 60,000 web servers. Adobe ColdFusion Software. KrebsOnSecurity detailed HTP’s work in September 2013, when the group compromised servers within data brokers LexisNexis, Kroll, and Dun & Bradstreet.
The group exploited the same ColdFusion flaw to break into the National White Collar Crime Center (NWC3), a nonprofit organization that provides research and investigative support for white collar crime. Federal Bureau of Investigations (FBI).
As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data proxy servers was being controlled by cybercriminals who had taken control of the data proxy servers. SSNDOBa company that operates one of the most reliable underground services for obtaining Social Security numbers, dates of birth, and credit file information of U.S. residents.
Kivimäki issued a bomb threat against former officials in August 2014. Sony Online Entertainment President John Smedley An American Airlines plane was grounded. Kivimäki was also involved in a number of fake bomb threats and “beatings” – reporting a fake hostage situation at an address, prompting heavily armed police to respond to the location.
Will Tapio, Vastaamo’s former chief executive was fired and prosecuted after the breach. Ransom_man touted Vastaamo’s security flaws, pointing out that the company used a ridiculously weak username and password “root/root” to protect sensitive patient records.
Investigators later discovered that Vastaamo was initially hacked in 2018 and again in 2019, but Tapio never told anyone about the breach until ransom_man began his extortion spree. In April 2023, a Finnish court sentenced Tapio to three months in prison, but the sentence was suspended because he had no criminal record.