Kivimäki, 25, has been sought by Europol since November 2022. Authorities issued an arrest warrant after Kivimäki failed to appear for a late October 2022 court hearing to face charges of hacking the Helsinki-based Vastaamo Psychotherapy Center. Vastaamo, now defunct, was a public health contractor providing mental health services to thousands of Finns. The breach was first made public in 2020, though the hacking campaign started in 2018. Authorities allege that after failing to first extort Vastaamo for about €450,000, then moving to extort individual patients, Kivimäki — a.k.a “ransom_man” and member of the “Hack the Planet” (HTP) hacker group — instead published patient records on the dark web. French news outlets reported the arrest on Friday, saying that local law enforcement had responded to a domestic abuse call in the Hauts-de-Seine region of France which accidentally led them to the hacker. Finnish authorities said French police would “immediately start taking measures” for Kivimäki to be extradited from France after police processing. Kivimäki had reportedly been on the run for years, buying up luxury goods and booking holidays with stolen credit cards, and was found to be using a fake Romanian identity, among others. According to reporting by cybersecurity journalist Brian Krebs, a small but critical mistake — accidentally uploading his own home folder together with the Vastaamo patient data for a brief moment — gave hints of Kivimäki’s identity, putting investigators on his trail.
A Young, Prolific Cybercrook
Kivimäki has been around under several different aliases, such as “RyanC” and “Ryan Cleary,” since at least 2008 when he was introduced to a future founding member of HTP. Ryan Cleary (Kivimäki) was also one of the members of the now-defunct hacking group “Lulzsec” and is known for operating a DDoS-for-hire service called “Ryan’s DDoS service” when he was just 15 years old, according to Brian Krebs. The hacker had then relied on the notion that there would be no consequences for cybercriminals under the age of 18. Skilled teenage hackers are not a new occurrence. In March last year, cybersecurity researchers found that the high-profile Lapsus$ hacking group’s members include a teenager living with his mother. DDoS-for-hire services, or booter services, are a devastating type of cyberattack that can force entire websites offline. In December 2022, U.S. law enforcement seized several DDoS-for-hire domains in Operation Power Off.
Cybercriminal Rap Sheet a Mile Long
In 2015, Finnish courts found a teenage Kivimäki guilty of more than 50,000 counts of cybercrime, such as payment fraud, operating a colossal botnet called Zbot used to launch DDoS attacks, falsely calling in bomb threats (aka “swatting“), and more. He had also claimed to be affiliated with “Lizard Squad” at the time, a teenage hacking outfit that disrupted Microsoft’s and Sony’s gaming networks in 2014. “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes,” the Lizard Squad tweeted in 2015. “It is clear that the Finnish legal system, like that of the United States, simply does not know what to do with minors who are guilty of severe cybercrimes,” Brian Krebbs said. “Sadly, to this date those individuals also remain free and relatively untouched by the federal system.” Kivimäki had been “remanded in absentia” (in accordance with Finnish law) for the attempted Vastaamo extortion in October 2020, where he demanded a lump sum of 40 Bitcoin (about €450,000) from the center. When the center refused, he targeted around 22,000 individual patients by blackmailing them via email and demanding a €500 ransom. If victims didn’t pay up, he would publish their therapy notes, authorities allege. After managing to extort a few individuals but being unsatisfied with the results, the hacker resorted to uploading a large, compressed file on dark web criminal forums containing the stolen psychotherapy center’s patient records.
Finnish Psychotherapy Center Had Blank Password
According to Brian Krebs, Vastaamo “relied on little more than a MySQL database that was left dangerously exposed to the web for 16 months,” and all Kivimäki had to do was enter a blank password on the main administrator account. A 2022 Censys research study found that 60 percent of all exposed cloud-based databases were MySQL databases.
Hacker Accidentally Uploaded His Own Private Folder
Atti Kurritu, a former investigator with the Helsinki Police Department, told security researcher Brian Krebs that the hacker made a critical mistake by accidentally uploading his personal home folder and then rushing to delete it after realizing the mistake. However, the file was already downloaded multiple times. “It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurritu said, adding that the investigation also revealed more databases and projects. Though the majority of the hacker’s crimes were committed when he was a juvenile when he proudly called himself the “Untouchable hacker god,” which meant a two-year suspended sentence and a forfeiture of 6,558 Euros, this time it might be much more serious. In a January 2022 Reddit post, the hacker discussed his court case with other fugitives of justice. Kivimäki — now using his first name Aleksanteri and not his middle name, Julius — jokingly spoke of opening “some kind of club” or organization for wanted persons.
Finnish Police’s Instructions for Vastaamo Hacking Victims
Authorities have offered advice to anyone affected by the Vastaamo cyberheist. The Finnish police recommend:
Reporting any ransom messages or suspicions to the police online via e-form or to the closest police department. Mentioning the word “Vastaamo” in any police report you file, as well as details of any leaked information (if known). Do not pay any ransom if told to do so.
Data breaches fall under the responsibility of the company storing your data. Thankfully, fewer organizations are now responding to cybercriminal extortion thanks to projects like No More Ransom, which have helped victims save around 1 billion euros in ransom money that would have otherwise gone to cybercriminals. As for what you can do to protect your data, you should look at a dark web monitoring solution. Finally, ensure that your accounts are armed with the best-possible password security so that they cannot be easily accessed.
