So … What’s going on with the vistamo guy and his sentence?

We’ve been blogging about Vistamo and their problems for awhile now, and i was looking forward to hearing about the trial. In this blog post, we hear about the sentencing and trial, and I don’t think its even enough. Let’s step through it!

The most recent article is titled Man Who Mass-Extorted Psychotherapy Patients Gets Six Years and was written by Brian Krebs who has been covering this as long as I have been reading it.

A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.

The article goes in to details on the case, and how it started in October of 2020 where Ransom Man demanded a payment for pilfering the data.

Kurittu said the prosecution had demanded at least seven years in jail, and that the sentence handed down was six years and three months. Kurittu said prosecutors agreed to knock a few months off of Kivimäki’s sentence because he agreed to pay compensation to his victims, and that Kivimäki will remain in prison during any appeal process.

7 years would have been fun, because it would have proven that the law is willing to give us more of a sentence for this type of a crime.

Think about it, this guy didn’t get his way so he went after their customers who may or may not have been able to pay anything.

Remember that ransoms are mostly paid in some sort of crypto currency now a day, and not in cash or credit card.

The article continues: <

“I think the sentencing was as expected, knowing the Finnish judicial system,” Kurittu told KrebsOnSecurity. “As Kivimäki has not been sentenced to a non-suspended prison sentence during the last five years, he will be treated as a first-timer, his previous convictions notwithstanding.”

Brian’s previous articles indicated that this suspect has done a bunch of other shit, so I don’t understand how this law says that since he was under age, they don’t count.

Here, if I did something and did whatever the sentencing was, I would then be charged again if I did the same thing again. In fact, depending on the crime, the punishment could be harsher.

The article even says:

“This seems like a short sentence when taking into account the gravity of his actions and the life-altering consequences to thousands of people, but it’s almost the maximum the law allows for,” Kurittu said.

So here in the states, you hack or do ransomware type stuff its 5 years, and in other parts of the world, you get as little as 7 years?

As other articles have stated, this guy went after people who neede help. They do not likely understand anything about the methods of payment, why someone is mailing them by email or even calling demanding you pay them for the fact that you hacked the doctor’s office and the doctor’s office isn’t paying you.

We’ve covered the Lizzard Squad on podcasts, I’m sure. The article reminds us of this, and that’s not necessarily a bad thing.

Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).

Kivimäki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.

In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software. KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.

So if this stuff is true, why did they not charge this guy when he turned 18 if some of his crimes went back as a teenager?

If you remember little hacker Matt

blog post

the FBI kept warning him as well as police that if he continued, they would pick him up when he turned 18.

In 2008, we released podcast 62 of TSB and we talked about him in numerous articles and the podcast is many hours. While the blog has changed providers since the podcast’s release, I bet some articles may still be out there. For everyone’s enjoyment, we present podcast 62 (157.7mb) and we thank Kelly Sapergia for reading the show notes for this program.

While a former site of mine was built on cold fusion for form processing, I knew nothing about how to do it myself, and learned to maintain it until I moved servers. To have this type of knowledge and the amount of servers hacked, this guy should have been charged as soon as he turned 18, that is, if he started at a young age.

The article continues:

Kivimäki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.

Not only did he take control of various servers, this article highlights that he also made a bomb threat. Are there no laws in Finland that deal with making bomb threats, whether true or otherwise? He also was involved in swatting incidents as well. No laws on that either I suppose?

Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.

Finally,

Investigators later found Vastaamo had originally been hacked in 2018 and again in 2019, but that Tapio never told anyone about the intrusions until ransom_man began his extortion spree. In April 2023, a Finnish court handed down a three-month sentence for Tapio, but that sentence was suspended because he had no previous criminal record.

If the guy mentioned in the last paragraph never told anyone about the intrusions, he should be at fault. If he was the CEO then, and they were hacked multiple times, shame on you.

I skipped a bunch of stuff in this article, but you will want to read the entire Krebs article to get the latest.

Further Reading

I put the blog post again that we’re taking from for convenience. This way, you can choose what you want to read.

The bigger question is, will he learn after his sentence of 6 or 7 years? I guess we’ll find out. Until then, so long! I hope you have a chance to think about it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.