Attackers blackmail psychotherapy center and its patients

The Finnish psychotherapy center Vastaamo has been a victim of a ransomware attack which is described by experts and authorities as the worst in the country’s history.

– Here in Finland, this has been major news since the incident became public. The entire cyber security industry, together with high-ranking politicians, has commented on the attack, and there is more or less consensus that it is unprecedented in Finnish history.

The nature of the leaked information makes the incident sensitive in several ways, says Nicolas. In addition to several children being found among the victims, many of the patients come from small communities in Finland where everyone knows everyone. Several of those affected have reported the incident to the police and are now demanding that the people behind the attack must be brought to justice.

– So far, we can only speculate about how the attack was carried out. We also know nothing definitively about the attacker at the moment, other than that he calls himself ”ransom_man” and runs a website on Tor where he has already published content from 300 patients’ journals. However, he seems to come from Finland or gets help from someone in Finland, since messages are written in perfect Finnish, says Nicolas.

– An effective law would, in my opinion, be a requirement for an independent third party to annually review the security of entities processing high amounts of sensitive personal data. This would add an additional layer of security on top of internal audits, if such are even carried out, Nicolas says.

– We have taken a lot for granted when it comes to what data we share when we, for example, shop online or use digital services. Of course, an event like this makes us begin to question the security of the systems we use, especially among the actors who handle our most sensitive information.

– The first step towards protecting your digital assets, but which many people miss, is to take an inventory of the organization’s information systems, processes and the people who maintain them. Such a list is better known as an asset register, and it is the asset register that constitutes your attack surface. Without an asset register that is updated regularly, you lack information about your attack surface, and consequently can not assess and manage the threats that affect your business-critical information systems.