Pro-Privacy Webmail ProtonMail Pays Ransom, But Hit By DDoS Attack Anyway

An anonymous reader writes: The new pro-privacy, pro-encryption webmail service ProtonMail has been under a sustained DDoS attack since November 3. They received a ransom demand a few days ago, along with a brief demonstration of how effective the DDoS attack was. They were advised to pay the ransom, and they complied. Unfortunately, the attackers launched the DDoS anyway. Here's a quote from their press release:

"Through MELANI (a division of the Swiss federal government), we exchanged information with other companies who have also been attacked and made a few discoveries. First, the attack against ProtonMail can be divided into two stages. The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us."

Thanks, idiots

[Opportunist]

The attackers want to thank all the people who are too stupid and lazy to protect their machines against being part of a botnet. Without your aid, this would not have been possible.

Re:Thanks, idiots

[alvinrod]

You can't stop someone who knowingly downloads and installs a program that compromises and takes over their machine. No amount of programming can fix that.

How's that appeasement workin' out fer ya?

[idontgno]

"Millions for defense, but not one cent for tribute."

-- Robert Goodloe Harper

Poor thought process

[s.petry]

I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals. Call Law enforcement, and make arrangements with companies that mitigate these attacks? Absolutely, and the latter may cost a few bucks. But paying out a blackmail threat is about as foolish as it gets.

Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth. The most unlucky of that bunch ended up raped, or dead.

Never trust a criminal! If their morality allows them to bend you over once, somehow believing they won't do it twice is completely irrational.

Likely not criminals.

[wheelbarrio]

Lots of comments here about the foolishness of paying off criminals. Indeed. But in fact I tip my hat to ProtonMail for their clever strategy for illuminating the likely identity of their attackers. The thing is, when you pay off blackmailers they typically don't then carry through with the initial threat because that's bad business. They may make further demands based on their new knowledge of you being an easy mark, but to carry out the initially threatened action after being paid simply sends the message to you and other potential targets that paying is a waste of money because the threat will be carried out anyway. The profile of the target (encrypted email service) alone combined with analysis of the second attack as having the hallmarks of a state actor would suggest a three-letter agency. The fact that they got hit after paying just clinches it.