Cyber Threat Actor: Ransom_Man
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
12 incidents |
|---|
Profile
The threat actor responsible for the Vastaamo breach remains unidentified in the public record and is referred to only as the hacker or blackmailer in the reporting. The actor targeted a Finnish psychotherapy provider, gaining access to patient records that included contact information, personal identity numbers, care plans and therapist notes. The victim population consisted of individuals who had registered with the service before November 2018, with possible extension to those registered before the end of March 2019. No alias or moniker for the perpetrator appears in the source material.
The actor’s apparent motivation, as described in the article, is financial extortion through a ransom demand and subsequent blackmail threats. The hacker reportedly demanded approximately 40 bitcoin, valued at around 450 000 euros, and threatened to release the stolen psychotherapy data if the payment was not made. Communications with the victim organization included ransom notes titled “Answering Office Information” that contained personal patient details, and the actor reportedly sought assistance with Finnish language phrasing, suggesting limited fluency in the language. No ideological, espionage or disruptive objectives are mentioned in the source.
No specific malware families, exploit tools, or initial access vectors are described in the article, and there is no public attribution to a state‑sponsored group, criminal syndicate or any other known threat actor collective. The reporting does not provide insight into the actor’s technical sophistication, organizational size, revenue or geographic origin beyond the focus on Finnish healthcare patients. Consequently, any assessment of the actor’s capabilities or affiliations would be speculative and is omitted here.
The Vastaamo incident represents a discrete extortion campaign centered on the theft and threatened release of sensitive psychotherapy records. The actor’s actions resulted in a substantial ransom demand and ongoing blackmail attempts, but the source material does not reveal further details about the individual’s identity, broader operational patterns or connections to other incidents. Consequently, the profile is limited to the confirmed facts of targeting, motive and the lack of publicly disclosed technical or attributional information.
