Ransom Man: 2. Whoopsie :D

across Finland was once a national success story, but it had gone horribly wrong.

“Now, in October 2020, a faceless hacker, ransom man, held all their patient secrets in”

his hands, and he seemed determined to exploit them. He was releasing therapy notes in batches of a hundred every day, containing the most intimate details of people's lives. No one knew who ransom man was. Henrik Karkonen, a tech reporter on Finland's most widely

read newspaper, first broke the story of the hack. The news was spreading across the country,

so was the panic. Now Henrik found himself in the strange position of being in direct contact with ransom man himself. Hello, I've seen your article regarding the Vastamo incident. I represent the group responsible. If you have any questions, I'm here to answer them. Why did he want you involved? I asked him that exact question. When the hacker replied, he was unapologetic.

It is in our interests to get the food story out there. Vastamo has had the opportunity to prevent the release of the state, but so far they have been unwilling.

He had been pushed into releasing the therapy notes, he said, because Vastamo had stopped

responding to his ransom demands. He was completely reflective through all the questions. We believe Vastamo deserves at least as much blameless we do. They f-d-up and then they f-d-up again. Are you censoring the F word there? No, I-I-I was censoring that. Findland is not a huge population smaller than London. Fence of thousands of people use

this service. Do you think it's fair to say that most people know someone or know someone

“who knows someone who used Vastamo. Defends it as so. And that's why it became such”

a big national thrower.

Ransom man was using secrets to torture an entire nation. It had become a race against time

to try to stop him before he could cause any more harm. I'm Jenny Kleeman, and from BBC Radio 4 and in-tree, this is Ransom man. I'm with Henrik, in the HQ of his newspaper, Il to Sonamet. It's next to Helsinki's central library on the 7th floor of a glass building overlooking the heart of the city. He's wearing a heavy metal t-shirt. His grey hair is pulled back into a low ponytail. In

the open plan office, Henrik's desk stands out. Every surface is covered with empty cans of monster. There are at least 30 of them piled in high towers. Unlike Henrik's desk, Finland is a place of extremes. It's the happiest country on earth, but it has more heavy metal bands per capita than any other nation. In the far north, for a few days around the winter solstice, the sun does not rise at all.

Living here, I don't know, it sounds funny that we have the happiest country in the world, but at the same time, there's a pessimistic attitude going through the nation. The thing is that when you expect something bad to happen and it doesn't, you don't have to be happy, almost every day. So, Finnish pessimism is leading you to be happy.

Well, that's my theory.

“And if you were to describe what Finnish people were like, how would you do it?”

I would say, reserve it, and then a bit shy about being active in conversation or beginning in conversation. In a country of awkward conversations, Henrik, a newspaper reporter, had to work at how best to communicate with the hacker who was exposing this very reserved nation's most private thoughts.

I started exchanging emails with him asking detailed questions and also hard questions. My question was that you are held responsible if and when this action causes suicides or other forms of extreme outcome. And his answer was legally doubted, morally maybe question mark. While Henrik was exchanging quickfire messages with ransom man, Vastamo patients across

for all to see and that they could be next.

“Mary Tuli Hour heard about the hack the day after the first 100 records were released.”

She'd used Vastamo a few years previously. I saw the news that there has been data breach at the Psychotherapy Center. I just knew immediately, I know that it was Vastamo, I just said, "Well, shit." Mary Tuli is 30. She lives alone in a small flat in a non-descript apartment block on the outskirts of Helsinki.

But don't be fooled by outward appearances. Inside her home is a riot of pink and glitter. Over tea served in movement mugs at her kitchen table, Mary Tuli tells me how she too shouldn't be judged by how she appears at first glance. She might seem cheery and outgoing, but she's struggled with depression for most of her adult

life.

My biggest fear has always been that people don't like me.

I am fundamentally different to other people, and that fundamental difference is something wrong. It's amazing because you do appear to be such a confident outgoing person. I love being around people, but it's like when I get that inkling that maybe they all

“think I'm full of shit and stupid and ugly, and my life is like a continuum of mistakes”

and bad decisions. Mary Tuli found her therapist by browsing the profiles on Vastamo's website. He looked like, "Approachable" in the picture. I was desperate to get someone to listen to me how personal to get. Very, very personal.

Over several years, Mary Tuli had confided in her therapist about her mental health struggles, her binge drinking, and a relationship with a much older man that she had kept secret from her family. When she heard the news that some people's therapy notes had been exposed on the dark web, she felt compelled to see if hers were among them.

I had never used the dark web before, but I was thinking to myself like, "I just have to

see if my records are already there." I went there and opened them just to see the names of the people, and my name was not included in that list, so I closed the files, and didn't read any records, you just read anyone's therapy notes. Of course, some people there had already picked, like, to their opinion, like the funniest

parts from the patient records, laughing at these people's misery and problems.

“I think a child around 10 years old had gone to therapy for something, and people found”

it funny. In the darkest parts of the internet, Mary Tuli saw some of the worst of humanity. There were people who wrote like, "Well, there's going to be a lot of traffic on the train tracks tomorrow," implying that there's going to be a lot of suicides ahead. People were joking about it.

So how did this happen? How did a multimillion-dollar company trust it by the Finnish State to provide mental health care end up at the mercy of an anonymous hacker? I also saw you at this almost fully digitalised. So we're moving into a fully digital world, and Finland is a kind of exemplar of being

very forward-thinking as a fully digital society. A test lab if you will, yes. If Finland is a test lab for the rest of the world, then so is this story. It shows the risks and benefits of using digital technology to make therapy accessible. It was really a case in point in how vulnerable the use of a society can be, up until

the last time I incident, very few people had thought about the real risks. For over a year, I've been trying to speak to someone from Vastamo. We reached out to more than 60 therapists and staff who used to work there. None of them was willing to give us an interview. Vastamo's former CEO, Villetapio, declined, saying, "He no longer trusts journalists

and doesn't want to prolong victim's trauma by giving the hacker more public attention." The company was founded in 2008 by Villetapio and his mother, Nina, a psychotherapist. The tapio's had big ambitions for Vastamo.

It began with remote, virtual therapy, a groundbreaking idea back then.

“But they soon realised there was an appetite for traditional face-to-face sessions too,”

so they started opening clinics under the Vastamo brand. By 2018, they had a network of nearly 20 clinics across Finland, employing more than 200 psychotherapists and psychiatrists. Villetapio appeared to have created a thriving business that was also a force for good. As well as a great story, Vastamo had an accessible, intuitive digital interface,

which patients liked. It was subsidised by the Finnish National Health Care System, so it was affordable. Therapists liked Vastamo too. They didn't have to worry about doing their own marketing or billing, Vastamo would take care of it all.

There was even a convenient behind-the-scenes platform where they could make, and store all their patient notes. But behind Vastamo's slick digital interface, they were fatal flaws. Antikuritu is the cyber security specialist of Villetapio called,

after Vastamo received the first ransom demand.

But as soon as he looked at Vastamo's computer network, he discovered some serious issues. Based on our technical review of the server, I would say that it felt more like a hubbyist home server. Did seemed like the administrators had not paid really any attention to securing the server, to the degree that I would have felt comfortable with had I been in custody of this kind of information.

When Antikuritu explains just how careless Vastamo had been, my jaw drops. The database access was exposed to the internet, not limited by a firewall at any stage, and probably the most previous was that the main master account was not secured with a password. It was secured with a blank password, which means that you can just press enter to get in.

And this allowed the database basically to be accessible by anyone at any time

from any location on Earth who just happened to stumble upon it. Vili Tapio has contested this account, saying that the system had strong authentication that restricted database access to only authorized users and didn't allow password free network logins. He's also said that the patient data was encrypted to the standard required by law. Still, the patient records were accessible.

The daughter of Vastamo had pretty much been left wide open and his view on this is pretty clear. This is rudimentary information security just felt like rank amateur mistake. The children have happened with this kind of data. As soon as Antikuritu began investigating the hack, it became clear to him that Vastamo hadn't been specifically targeted.

It was obvious to me that that was the result of scanning activity trying to find open database and possibly any kind of information that could be monetized.

“I think they just tried a bunch of bank vaults to see which ones were open and they just happened”

to stumble in this one. Still the data and later when counting their treasure, they realized what they had and tried to opportunistically then attack Vastamo with this extortion attack. Antis hunched that the hacker simply stumbled upon an open bank vault and stole the treasure inside

seems to be right. In his emails to Henrik, the tech reporter, Ransom Man said he never

specifically set out to target Vastamo. He's claimed what's the gate will open. He was mocking the security, the passwords and the whole company was being hacked by a robot without putting in much effort and when he realized that there might be some worth in that he started the extortion thing. And while a robot may have been searching for poorly secured databases, it was definitely a human being who three weeks after first contacting Vastamo was now ramping up the pressure by cherry-picking

“patient records to leak in batches of a hundred. Did you get the impression he was doing this for money?”

Yes, definitely so. And also being ruthless in what he was doing with no concern to human suffering whatsoever. The hours ticked by patient records continued to spread across the web and Vastamo still wasn't paying. Neither Ransom Man nor his target were backing down. Fins are a bit of a

pride in. Of course we don't pay. Whatever it takes.

“While none of the dozens of people who used to work at Vastamo agreed to give us an interview,”

I had a background chat with a consultant who worked there in 2020. He told me that once news of the hack became public, everything went crazy behind the scenes. It was all hands-on deck. Anyone with any technical know-how was made to work on network security through the night, and over the weekend, even though the damage was already done. He remembers some stuff becoming ill from all the pressure. When Ransom Man started systematically releasing the patient

records, all Auntie's team could do was keep a close eye on his online activities, using bespoke software to scrape the web for new posts. We were watching it in real-time, it was difficult to believe. Our scraper was running on the website that was publishing these patient records a hundred at a time, every day, and it had been running for like three days, a set of like three hundred patient files were already published. Like clockwork, the posts came,

the intimate secrets of a hundred people exposed every 24 hours for three days, until on the

23rd of October 2020, something unexpected happened. So, on the third day, my threat intelligence

“guy called me and said you'll never believe what the scraper had caught. What did he find?”

We found, unfortunately, all of the patient files. At 2 AM, on the 23rd of October, Ransom Man uploaded a much larger file. It contained every record of every single patient on Vastamo's database, all of the files, all the most private thoughts that tens of thousands of people had confided in their therapist, published for free, for everyone in the world to see.

Everyone's therapy notes dumped online. Of course, as we had a copy of this information now, from the public internet that meant that an untold number of others also had this copy.

“There was no way of preventing this anymore. The pressure cooker everyone had been trying to”

contain had suddenly exploded. For Vastamo's patience, it was too late. Everything was out there, exposed. What sort of person would drip feed a sample of the hacked records over three days, and then just release everything he had, and why? I don't know what kind of people you would have to be in order to publish people. Personally, information 30,000 people just for the loss. You just don't. It was only at this point. A matter of hours after the full database was

released online that emails began arriving in individual inboxes, demanding Bitcoin directly from Vastamo's customers. It was in the chunk of mail folder. Give us money, or we will publish everything we have about you for everyone to see. Mary Tuli had been relieved when she couldn't

find her notes among the first batch released onto the dark web. Now she was being emailed

directly by the hacker and told to pay up, but it was a trick. Her therapy notes had already been published. Once you realise what had happened, Mary Tuli's bright colorful home became a kind of prison. The fear of set in, I took a sick leave from work. I was crying. I was feeling very vulnerable. Everything came back to me. I closed myself at home. They didn't want to leave. I didn't want people to see me. Did it help to know that you weren't the only victim or did that make you feel

like you had less of a right to be outraged? It might sound individualistic and selfish to say, but what do all the other 30,000 people matter when this happened to me here? Tina, the head teacher we met in the last episode felt the same. Everybody knew somebody who was part of Vastama. That's why it raised so much discussion. But then again, when there are tens of thousands

No two victims had the same story or reacted in the same way, but they all had one thing in common.

“They had been exposed and violated. Some people might have been very relaxed about it like,”

"Okay, well, who cares if my patient recalls are out there?" And then there are people who have killed themselves. The numbers aren't clear, but we know of at least two people who took their lives after learning they were victims. The harm caused by ransom man was immeasurable and is attempts to get a big ransom were a total failure. The biggest failure of course was Vastamo's. It became so huge that they couldn't control it than the narrative because the public

outrage was so big. No crisis management manual could help you there. The day after the entire database of patient records was dumped online, Vastamo's board announced that they had parted company with the CEO Villetapio. Vastamo apologized on Facebook. They claimed they were working to inform customers whose notes had been leaked. They even offered victims a free conversation with a therapist. This did not go down well. vomit emojis filled the replies.

The first email I got from Vastamo was like worth a sack of shit, like they were basically

sorry that you feel sorry sort of. They told the media first and not us their customers.

“And I think that was really, really outrageous.”

There was no suspect at the time and there was only one person whose name I came popping out in the public and that was Villetapio the CEO of the company that had been hacked. The only name the public had to latch onto was Villetapio's. Even though at this point he was no longer CEO, the criminal behind the hack was still anonymous. But if you looked closely

enough, you could find clues about who it might be. I've seen some of the emails exchange

with Rantson Man. They're redacted so I can't tell you exactly who sent them from the Vastamo side. But at one point someone from the Vastamo side of negotiations writes, "In finish, this shit is unbearable. You're taking away everything. There is no tomorrow." The hackers response. "Please write in English." Not only was Rantson Man incredibly cold, he also wasn't finished. Also he wanted everyone to

believe. But anti, the cybercrime investigator and former detective saw things differently. Whoever was handling this database is able to read what's there without using translation services because just going through this trove of data by copypasting it to Google Translate is not feasible. Whoever it was knew which finished names to flaunt from the patient records and he knew where to flaunt them in forums that are popular with finished people. We had this weird thing that they were

partly a group of people and then also referring to themselves in the singular. I felt like this is probably not a professional group because they made this thing public in such a weird way. It seemed like something else. Putting all of these together, it just gave me a hunch that this person is at least intimately familiar with the finished internet scene and based on that I guess that it's a fin.

“And there was something else. Something I haven't yet mentioned. Something that would hold the key”

to this case. Ransom Man had made a fatal mistake. That final dump of all the data, it didn't just contain the database of Vastamo's patient records. There was so much more. Alongside all the patient files, Ransom Man had also posted the entire contents of his home folder. A treasure trove of information about his computer and everything he had been doing on it. It began to look like Ransom Man had screwed up massively. You leaked your home folder, dude, someone wrote under Ransom Man's final post

on the dark web. Whoopsie, smiley face, the hacker replied and then he disappeared. We found a glimpse of what it looks like when our hacker is on a server and then uses his tools

It looked like something else. What do you mean by that? What was the something else?

“What had that, you know, that sort of chaotic passion and hobby feeling to it. It didn't”

feel like somebody going to work. During investigation, some people's computers. There's a sort of a way that people arrange their digital lives. So the just the level of this organization,

there was a bit of an era of mania around it. After spending several evenings with the

vastumodactar file, I had the feeling that I've actually seen this kind of thing before. An era of mania and a sense of deja vu. Whoever Ransom Man was, he was no run of the mill jobbing cyber criminal and he was someone until recognized. There was something about the childish

way Ransom Man chose file names that felt strangely familiar to him. There was a shortness

and crudeness to them. It was just like quick burst of typing to name a file instead of actually

“thinking that I need to remember what's in this file later. And there was the name of the folder”

that held all the patient data. That was therapist. It was just the childish play on words. Therapist as in PISSD. Yes, you get a feeling. A feeling. One that suddenly transported Auntie back to 2013 when he was a senior detective constable at the Helsinki police. Looking at the files on a computer, he'd seized from a 16-year-old

“boy. The feeling I got years earlier. A boy who'd already been involved in some of the most”

audacious hacks the world had ever seen. It just made me think of giving me a kiss. See you'll be able to give him a kiss. In December 2025 the Finnish Court of Appeal ruled that neither the GDPR nor the applicable Finnish healthcare legislation required encryption or pseudononymization of patient data at the time in question. The court found there was no clear legal requirement at the time, obliging Villa Tapio as CEO to take specific security measures and his conduct in

relation to the breach did not amount to criminal negligence. Ransom Man is written and presented by me, Jenny Cleeman. The producer is Sam Peach. The executive producer is Georgia Cat. The commissioner is Dan Clark and the commissioning executive is Tracy Williams. Sound design by Sam Peach. Original music for the series was composed, performed and produced by Echo Collective. It's a BBC Studios production for BBC Radio 4.