The Challenges of Ransomware 2.0

The Finland-based psychotherapy group Psychotherapy Center Vastaamo may need some therapy itself.

They claim that in late 2018-early 2019 hackers broke into their network.

Just this month it has come out that the company, which has 20+ offices and 300 or so shrinks may have lost the data of 40,000 patients, some of whom are high profile. The hacker(s) tried to blackmail the company to the tune of about a half million bucks, but they did not bite.

So the hackers posted the clinical files of 300 patients on the dark web as a threat and then started extorting more patients to pay a ransom of between 200 and 500 Euros not to publish their file.

The Finnish version of the FBI says don’t pay the ransom.

That is kind of easy for them.

What people tell their therapists is sometimes not great for public consumption.

It can get you fired.

It can get you divorced.

It can end your political career.

Some people even commit suicide.

It can cost you tens if not hundreds of thousands of dollars, so paying a 500 Euro bribe, even if you are not sure that it will protect you, may seem reasonable.

I asked one of my friends at the FBI what his thoughts are and I will update this post when I hear back.

Some people will decide that it is not worth the risk and not get mental health support or other treatments. Or not tell their medical professional the truth or the whole truth.

It certainly is worthwhile asking about security, but the likelihood of getting an honest answer is almost zero. After all, doesn’t every company say they care about your data? After they get hacked.

Until the financial equation changes it is unlikely that the problem will be solved. In part, this is due to the fact that strong security is inconvenient. In this case, this is a GDPR violation and it covers sensitive data, so they will likely be fined a lot.

I am not sure what it will take.

The Defense Department has one strategy. They are beginning to require that their contractors be certified by a third party. No certification, no contract. That seems like it could be effective. Credit: The Register

Leave a Reply

Your email address will not be published.