A Finnish hacker, Julius “Zeekil” Kivimäki, was recently sentenced to six years and three months in prison for orchestrating an extortion scheme targeting a psychotherapy clinic in Finland.
What happened
According to the BBC, 26-year-old Kivimaki was found to have led extortion schemes targeting the Vastaamo Psychotherapy Center in Finland. He stole sensitive records from approximately 33,000 patients and demanded ransom payments for deletion.
The Vastaamo Psychotherapy Center, a prominent mental health service provider in Finland, became the target of Kivimäki's activities in October 2020. Posing as "ransom_man," Kivimäki demanded a payment of 40 bitcoins (approximately $500,000 at the time) in exchange for a promise not to publish therapy session notes he had obtained through hacking.
When Vastaamo refused to pay, Kivimäki escalated his attack, shifting his focus to extorting individual patients. According to Finnish authorities, over 22,000 victims reported receiving threatening emails that demanded a $500 ransom, with the promise of having their therapy records published online if they failed to comply.
Going deeper
Kivimäki has been a wanted man for several years; his involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of Hack the Planet (HTP). Soon after, he allegedly became a member of the Lizard Squad, a hacker collective known for its Distributed Denial of Service Attacks. In these attacks, cybercriminals flood a server, preventing legitimate users from access.
Investigators found that Kivimäki and his HTP associates exploited vulnerabilities in web servers, selling access to them as a DDoS-for-hire service. In 2013, Kivimäki used a new flaw in Adobe's ColdFusion software to breach over 60,000 web servers. These servers were used to compromise data broker servers and those of the National White Collar Crime Center (NWC3), a non-profit supporting the FBI.
What was said
During the sentencing, the prosecution had initially demanded at least seven years in jail for Kivimäki. However, the court ultimately handed down a sentence of six years and three months, with a few months shaved off due to Kivimäki's agreement to compensate victims.
According to former investigator Kurittu, the sentence handed down to Kivimäki, while within the legal limits, may be considered relatively short given the gravity of his actions and the life-altering consequences suffered by thousands of individuals.
Why it matters
The Vastaamo case serves as a reminder of the consequences of inadequate cybersecurity practices, particularly in the healthcare sector, which often holds sensitive data. The breach and subsequent extortion attempts caused distress to victims and showed the societal impact of such breaches.
FAQs
What was the motivation behind Kivimäki's attacks?
Investigators suggest that Kivimäki's motivations were both financial and a desire for power over his victims. By targeting psychotherapy patients and threatening to expose their sensitive personal information, Kivimäki hoped his targets would be more willing to pay the ransom demands.
Why was Kivimäki's sentence considered relatively short?
Despite the severity of his crimes, Kivimäki is a first-time offender, allowing him to receive a more lenient sentence.
How can similar incidents be prevented in the future?
Addressing the growing threat of cybercrime requires a multifaceted approach, including stricter legal penalties, improved rehabilitation programs for offenders, and increased collaboration between the public and private sectors to enhance cybersecurity resilience. Additionally, healthcare organizations should prioritize the security and privacy of patients by investing in security measures like email encryption.
Related: HIPAA Compliant Email: The Definitive Guide.
Farah Amod
