The attackers are demanding about $ 500,000 in ransom from the management of a large network of psychotherapy clinics in Finland, Vastaamo. Since Vastaamo is a nationwide medical network with more than a dozen departments, the data of tens of thousands of patients are at risk. Even worse, confidential information about patients has already been partially published on the darknet, and hackers have contacted some of Vastaamo's clients directly.
Vastaamo guide for the first time announced the incident officially last week. Then it became known that back in September 2020, the hacker contacted three employees of the medical facility and demanded a 40 bitcoin ransom (more than 500,000 at the current exchange rate), otherwise threatening to publish the stolen patient data.
Moreover, according to information local media, the attacker is already making his threats a reality, and at least 300 case histories have been published on the darknet. It is also reported that without having achieved anything from the Vastaamo management, the extortionist began to directly contact the patients by e-mail and demand from them $ 240 in cryptocurrency for removing their records from the stolen database. Apparently, the attacker thought of this after several people found out about the leak and offered the hacker money to remove this information from the database. According to the message Ilta Sanomat, For them the blackmailer set a price of 0.05 bitcoin (about $ 650).
The same publication notes that the attacker "writes in very good English" and uses secure email services. So, first the hacker used Tutanota, and then switched to Protonmail and Cock.li.
Last weekend, the information about the incident was officially confirmed by the National Bureau of Investigation of Finland, saying that the leak affected data on tens of thousands of patients. In turn, the journalists of the publication Helsingin Sanomat managed to find out that the ransomware had already "leaked" at least 2000 case histories. They write that the hacker uploaded a 10 GB file containing information about Vastaamo patients, including their names, social security numbers, postal and email addresses, phone numbers, and notes from therapists.
Vastaamo is now providing updates on the incident almost daily, and the facility is working on an investigation with the Finnish Cybersecurity Center, Valvira, and the data protection commissioner. Finnish ethical hackers are also helping the investigation, and the information security company Nixu is studying the technical aspects of hacking. It was the experts of the latter who discovered that the hacking itself probably happened still in November 2018…
Interestingly, this was not the only attack on Vastaamo. As it became known now, in mid-March 2019, there was another incident, which was known to the head of the network of clinics, but he decided to keep the incident secret from the board of directors, authorities and victims. When it became known about the incident, the Vastaamo board of directors dismissed the head of the company from his post. At the same time, it is not yet known whether the hackers managed to steal any data during the March attack.
According to the latest reports from Vastaamo and the Nixu investigation, it has so far been confirmed that the infrastructure of the medical facility has not had critical vulnerabilities and has not been attacked since March 2019.