Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pro-Privacy Webmail ProtonMail Pays Ransom, But Hit By DDoS Attack Anyway (wordpress.com)

Posted by Soulskill on from the lesson-learned dept.

An anonymous reader writes: The new pro-privacy, pro-encryption webmail service ProtonMail has been under a sustained DDoS attack since November 3. They received a ransom demand a few days ago, along with a brief demonstration of how effective the DDoS attack was. They were advised to pay the ransom, and they complied. Unfortunately, the attackers launched the DDoS anyway. Here's a quote from their press release:

"Through MELANI (a division of the Swiss federal government), we exchanged information with other companies who have also been attacked and made a few discoveries. First, the attack against ProtonMail can be divided into two stages. The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us."

52 of 101 comments (clear)

  1. Thanks, idiots by Opportunist · · Score: 4, Insightful

    The attackers want to thank all the people who are too stupid and lazy to protect their machines against being part of a botnet. Without your aid, this would not have been possible.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Thanks, idiots by fustakrakich · · Score: 1

      Yeah well, an appliance shouldn't be so easy to hack. And automatic updates shouldn't cause so many breakdowns, even if it is good for the repair/cleanup business. Computers are still not ready for prime time. They are way too frail. The word "robust" doesn't enter the picture.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Thanks, idiots by Anonymous Coward · · Score: 1

      The blame should fall on programmers not users.

    3. Re:Thanks, idiots by hcs_$reboot · · Score: 1

      The attackers want to thank all the people who are too stupid and lazy

      stupid or lazy, actually.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    4. Re:Thanks, idiots by Opportunist · · Score: 1

      Not quite. It was just that computers were no longer "so expensive and such a big hassle to get online" that the cheap and lazy people got one.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Thanks, idiots by Opportunist · · Score: 1

      The usual 90/10 rule applies. Are you willing to pay about ten times what you pay for your computer? Then a (nearly) 100% secure system is a possibility.

      Else, the 90% you got will need patching. But that means that you have to accept the responsibility and actually patch the box.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Thanks, idiots by Opportunist · · Score: 1

      If users were willing to pay what had to be paid for secure computers, we'd have them.

      If computers could kill people, we'd have secure computers that cost about as much as a car does.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    7. Re:Thanks, idiots by Opportunist · · Score: 1

      Yes, one would do. Most of those numbnuts are both.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    8. Re:Thanks, idiots by alvinrod · · Score: 3, Insightful

      You can't stop someone who knowingly downloads and installs a program that compromises and takes over their machine. No amount of programming can fix that.

    9. Re:Thanks, idiots by bmo · · Score: 1

      Are you willing to pay about ten times what you pay for your computer?

      Most security doesn't cost a penny, if you bother to learn.

      It's the people who decide to remain ignorant about security that wind up paying lots more for insultants, insurance, and break-ins.

      --
      BMO

    10. Re:Thanks, idiots by Xenx · · Score: 1

      and/or, people are more then capable of both.

    11. Re:Thanks, idiots by Opportunist · · Score: 1

      So we're back at "people being too stupid and lazy to protect their machines"?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    12. Re:Thanks, idiots by bmo · · Score: 1

      "Trust in god but tie your camel." -- Some Arab Proverb That Probably Isn't Real But I Agree With.

      "Trust but verify." -- Russian proverb adopted by St. Ronnie Raygun

      "Park it and lock it! Not Responsible!!" -- Firesign Theatre

      --
      BMO

  2. How's that appeasement workin' out fer ya? by idontgno · · Score: 4, Insightful

    "Millions for defense, but not one cent for tribute."

    -- Robert Goodloe Harper

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
    1. Re:How's that appeasement workin' out fer ya? by turkeydance · · Score: 1

      isn't it "penny" instead of "cent"?

    2. Re:How's that appeasement workin' out fer ya? by Anonymous Coward · · Score: 1

      In practice, paying the tribute is more cost-effective than dying. But if you RTFS you'd know the problem most likely isn't that paying off didn't work, but that only one of the attackers wanted money:

      ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors.

      Protonmail can't outspend the US government.

    3. Re:How's that appeasement workin' out fer ya? by Chris+Mattern · · Score: 1

      Nope, although it's often misquoted that way: http://www.bartleby.com/73/804....

    4. Re:How's that appeasement workin' out fer ya? by Chris+Mattern · · Score: 1

      More appropriately:

      And that is called paying the DDOS geld
      But we've proved it again and again
      That if once you have paid them the DDOS geld
      You never get rid of the DDOS!

    5. Re:How's that appeasement workin' out fer ya? by tsm_sf · · Score: 2

      Spot on. Here is the original for the interested:

      It is always a temptation to an armed and agile nation
          To call upon a neighbour and to say: --
      "We invaded you last night--we are quite prepared to fight,
          Unless you pay us cash to go away."

      And that is called asking for Dane-geld,
          And the people who ask it explain
      That you've only to pay 'em the Dane-geld
          And then you'll get rid of the Dane!

      It is always a temptation for a rich and lazy nation,
          To puff and look important and to say: --
      "Though we know we should defeat you, we have not the time to meet you.
          We will therefore pay you cash to go away."

      And that is called paying the Dane-geld;
          But we've proved it again and again,
      That if once you have paid him the Dane-geld
          You never get rid of the Dane.

      It is wrong to put temptation in the path of any nation,
          For fear they should succumb and go astray;
      So when you are requested to pay up or be molested,
          You will find it better policy to say: --

      "We never pay any-one Dane-geld,
          No matter how trifling the cost;
      For the end of that game is oppression and shame,
          And the nation that pays it is lost!"

      - Rudyard Kipling

      --
      Literalism isn't a form of humor, it's you being irritating.
    6. Re:How's that appeasement workin' out fer ya? by petteyg359 · · Score: 1

      More appropriately:

      And that is called paying the DDOS geld But we've proved it again and again That if once you have paid them the DDOS geld You never get rid of the DDOS!

      Perhaps you meant "guild"? Or are you really saying " the " (verb the verb)?

    7. Re:How's that appeasement workin' out fer ya? by Chris+Mattern · · Score: 1

      You need a better dictionary. "Geld" can also be a noun with a very different meaning, although that usage is a bit archaic.

  3. Poor thought process by s.petry · · Score: 5, Insightful

    I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals. Call Law enforcement, and make arrangements with companies that mitigate these attacks? Absolutely, and the latter may cost a few bucks. But paying out a blackmail threat is about as foolish as it gets.

    Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth. The most unlucky of that bunch ended up raped, or dead.

    Never trust a criminal! If their morality allows them to bend you over once, somehow believing they won't do it twice is completely irrational.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:Poor thought process by Anonymous Coward · · Score: 1

      Quite possibly law enforcement told them to pay the ransom. It's easier to follow the money than determine the true source of a DDoS attack.

    2. Re:Poor thought process by Anonymous Coward · · Score: 1

      Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth.

      Are you suggesting that one should fight a mugger because they're likely to attack you anyway? Do you have any evidence of this? My personal experience of family+friends is two or three "give me your money". In every case, they've handed it over - including the physically powerful ones who might have been able to overcome an attacker - and the mugger has just run off. Employees of businesses are almost invariably advised to hand over money because it's not worth it.

      There are some good reasons to resist what might be a mugging, e.g. some cheeky ass walking up to you and saying, "Give me money," with no evidence they have any weapon. But if someone's holding a knife in front of your face, you were almost certainly already too slow. If you say no, their best way forward if they still want your money is to threaten you, then to attack you in a way that disables you but does not kill you (and almost all knife attacks in the UK are non-fatal, because who wants to be hunted for murder?). If you tackle them, you're intentionally getting close up, so you better have damn good training.

      As to areas which allow you to carry a gun, if someone threatens you with a knife and you have a gun, you do have the option to take it out and hope there's not an accomplice behind you, of course. Again, the average citizen is not well trained.

      The most unlucky of that bunch ended up raped, or dead.

      As a proportion of muggings go, these are extremely fucking unlikely. "Dead" especially, in most Western countries.

    3. Re:Poor thought process by myowntrueself · · Score: 1, Flamebait


      <p>As to areas which allow you to carry a gun, if someone threatens you with a knife and you have a gun, you do have the option to take it out and hope there's not an accomplice behind you, of course. Again, the average citizen is not well trained.</p>
      </p></quote>

      You've probably heard the saying "Don't take a knife to a gun fight". Well the reverse also holds true; "Don't take a gun to a knife fight."

      At the ranges within which knife fights take place a gun is a liability and thinking the gun will give you leverage or protection is just wrong and will get you maimed or killed.

      --
      In the free world the media isn't government run; the government is media run.
    4. Re:Poor thought process by Anonymous Coward · · Score: 1

      Quite possibly law enforcement told them to pay the ransom.

      Indeed. For example, the FBI is on record as recommending that CryptoWall victims pay the ransom as a best practice.

    5. Re:Poor thought process by myowntrueself · · Score: 1

      May I introduce you to my friend the preview button? Comes free with every Slashdot post.

      Yeah I know, I'd set it to extrans for a post the other day and forgotten to switch it back and missed the obvious on preview.

      My point still stands though!!

      --
      In the free world the media isn't government run; the government is media run.
    6. Re:Poor thought process by deKernel · · Score: 1, Informative

      Well, that might work for you, but I would suggest to everyone else that you ALWAYS take a gun to a knife fight if you want to win. I can have my gun out just as fast as some idiot can pull their knife out....PERIOD. Here is a hit, don't walk around oblivious to your surroundings, and you will always be in a position where your side arm (even concealed) can be accessed long before issues arise.

    7. Re:Poor thought process by s.petry · · Score: 1

      Are you suggesting that one should fight a mugger because they're likely to attack you anyway?

      You invented a statement that I never made, and then defended your fake argument with a personal anecdote. Topping that off, you claim I need to give citation when I never made a claim that a person should be fighting a mugger. YOU DID! What I did state is that believing you are not going to be harmed by a criminal because you gave in to their criminal demand is irrational. There is more than one option.

      And by way of personal anecdote I come from Detroit where giving a mugger money shows them that you have some, and they thump you down looking for more. That same behavior is well known in most of South America and Asia as well.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    8. Re:Poor thought process by KGIII · · Score: 2

      I got mugged once, years ago, on the outside of the swamp headed into Miami (just after alligator highway or whatever it's called - not the main route, the one south of it). The guy was nervous as fuck and carrying what appeared to be an unloaded Jennings .25. (I could not see the small tab that protrudes where the magazine goes but wasn't going to risk it.) Hell, it's a Jennings and a .25 - it might not even have fired.

      Anyhow, he was nervous as fuck and I talked to him calmly and gave him my money and not my wallet. He said just give me your wallet and I told him that I could not do that but that I'd give him my cash. Meh... It was pretty tame, really. I was more calm than he was. I'd say, if you're getting mugged then, by all means, pay up but remain calm. Chances are they're scared. I'm not worried about someone who's holding a firearm and pointing it at me with seriousness. I'm worried about the idiot who's pointing a firearm vaguely in my direction and is scared. The first one would have already shot me, the second one is quite likely to screw the whole situation up. Just stay calm and give them the money.

      There's more to the story but that's the gist of it. It was over in what felt like a few minutes but was probably closer to just one minute. Time seems to slow and you get hyper-alert. My first thought was to attempt to disarm them and then I realized that would be a terribly stupid thing to do. The last thing I wanted to do was cause a scene which would make them nervous or, worse, turn a mugging into a hostage situation or, worse, get someone else hurt. If someone were threatening to DDoS a service or extort money then I'd probably either let the cops follow the money or I'd put a notice up on the page saying something along the lines that service will likely be disrupted because $group expects us to be cowards. I'd rather prorate customer bills than be subjected to blackmail in the future and it's not likely to be a life and death situation or anything.

      --
      "So long and thanks for all the fish."
    9. Re:Poor thought process by thegarbz · · Score: 1

      I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals.

      Are lot of such criminals are nothing more than illegal commercial enterprises. They rely on some facts such as the trustworthyness that paying the ransom will resolve the issue. If they lose that then they lose their source of income.

      We're not talking about Anonymous here. These people do what they do for currency, not for lolz.

    10. Re:Poor thought process by Anonymous Coward · · Score: 1

      My personal experience of family+friends is two or three "give me your money".

      Then I'm glad I'm not in your family or one of your friends; they're apparently criminals.

    11. Re:Poor thought process by JustAnotherOldGuy · · Score: 1

      I knive doesn't run out of bullets

      Yes, but you can't use a knife on someone 20 feet away, especially while they're shooting at you.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    12. Re:Poor thought process by myowntrueself · · Score: 1

      I knive doesn't run out of bullets

      Yes, but you can't use a knife on someone 20 feet away, especially while they're shooting at you.

      When you are literally eyeball to eyeball my money would be on the knife. Way faster, doesn't need to be particularly aimed, has multiple attack vectors ie isn't only lethal in one direction. Even an unskilled person with a knife can be devastating at close quarters (look for youtube videos of frenzied stabbing attack vs martial artist).

      --
      In the free world the media isn't government run; the government is media run.
    13. Re:Poor thought process by JustAnotherOldGuy · · Score: 1

      When you are literally eyeball to eyeball my money would be on the knife.

      If you managed to get that close after being shot repeatedly, then I'd knife you.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    14. Re:Poor thought process by myowntrueself · · Score: 1

      When you are literally eyeball to eyeball my money would be on the knife.

      If you managed to get that close after being shot repeatedly, then I'd knife you.

      Your scenario of an assailant who starts off at sufficient distance for your firearm to be useful resembles something like confirmation bias...

      --
      In the free world the media isn't government run; the government is media run.
  4. Incentives by Etherwalk · · Score: 2

    I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals. Call Law enforcement, and make arrangements with companies that mitigate these attacks? Absolutely, and the latter may cost a few bucks. But paying out a blackmail threat is about as foolish as it gets.

    Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth. The most unlucky of that bunch ended up raped, or dead.

    Never trust a criminal! If their morality allows them to bend you over once, somehow believing they won't do it twice is completely irrational.

    It's about incentives. If the criminal fails to honor the payment too much, people stop paying. The amount of harm to the company also goes up, as does the interest of major law enforcement task forces. That's why ransomware operators send you keys and private corporations are frequently willing to pay ransoms. But people with a major presence whose operations will be strongly hurt by allowing criminal operations to continue--most obviously the United States Government when dealing with terrorism--are much less likely to pay.

    1. Re:Incentives by tompaulco · · Score: 1

      It's about incentives. If the criminal fails to honor the payment too much, people stop paying. The amount of harm to the company also goes up, as does the interest of major law enforcement task forces. That's why ransomware operators send you keys and private corporations are frequently willing to pay ransoms. But people with a major presence whose operations will be strongly hurt by allowing criminal operations to continue--most obviously the United States Government when dealing with terrorism--are much less likely to pay.

      Yes, but criminals are criminals, and as such are selfish. If they get the money and do the DDoS, then they have made their money and to heck with anybody else (including themselves later, but hey, they're criminals, so they don't think that far ahead).

      --
      If you are not allowed to question your government then the government has answered your question.
  5. Talk is cheap by Anonymous Coward · · Score: 1

    As a protonmail user it's been nail-biting experience over the last few days.

    Protonmail was hit by state sponsored attacks disguised as BC ransom.

    Please consider donating.

    Thank you.

  6. Danegeld by YrWrstNtmr · · Score: 1

    See Kipling on this.
    https://en.wikipedia.org/wiki/Danegeld

  7. Logic... by wbr1 · · Score: 1
    If target pays x to prevent attack, surely they'll pay x + y to stop it.

    . Dummies.

    --
    Silence is a state of mime.
  8. Dane Geld by istartedi · · Score: 2

    There is nothing to say on the matter of ransom ware that Rudyard Kipling hasn't already said, with greater eloquence than I could muster. To reference another great saying, "millions for defense, not one penny for tribute".

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  9. Likely not criminals. by wheelbarrio · · Score: 5, Insightful

    Lots of comments here about the foolishness of paying off criminals. Indeed. But in fact I tip my hat to ProtonMail for their clever strategy for illuminating the likely identity of their attackers. The thing is, when you pay off blackmailers they typically don't then carry through with the initial threat because that's bad business. They may make further demands based on their new knowledge of you being an easy mark, but to carry out the initially threatened action after being paid simply sends the message to you and other potential targets that paying is a waste of money because the threat will be carried out anyway. The profile of the target (encrypted email service) alone combined with analysis of the second attack as having the hallmarks of a state actor would suggest a three-letter agency. The fact that they got hit after paying just clinches it.

  10. Really Bad Business Model by Idimmu+Xul · · Score: 4, Interesting

    This sets a precedent now so everyone knows not to pay hostage money to people that threaten DDOS attacks as they don't follow through honorably.

    --
    The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
    1. Re:Really Bad Business Model by gweihir · · Score: 1

      Incidentally, this may just cut down on the part of the problem created by common criminals. Their "business opportunity" just vanished. Now we mainly have to worry about state-sponsored and employed terrorists, like certain employees of the NSA, GCHQ, Chinese and Russian intelligence, etc.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Really Bad Business Model by sociocapitalist · · Score: 1

      This sets a precedent now so everyone knows not to pay hostage money to people that threaten DDOS attacks as they don't follow through honorably.

      There were evidently two groups of attackers. Quite possibly one stopped and the other one wasn't after money to start with.

      --
      blindly antisocialist = antisocial
  11. Why would you pay? by Anonymous Coward · · Score: 2, Informative

    The self-righteousness of slashdot know-it-alls sucks.

    Protonmail made it quite clear, the ISP and carrier made them pay after the whole datacenter with hundreds of other customers went down. It's not like they did not know that you should not pay. But if you are close to being put out on the street, you reassess your policies.

    DDoS protection against this size of attack is expensive and it is obvious that a provider of secure email can not simply hand out the ssl key to a CDN. If you want to make sure the next attack is hit with the visor down and the defense in place, then go and support their defense fund, so they are no longer tempted to pay.

  12. They were pressured into paying by dnaumov · · Score: 2

    They didn't just decide to pay the ransom of their own volition. They were pressured into it by third parties who were suffering major economic losses due to the attack. Their ISP was basically taken offline, along with all of their other business customers.

  13. Here is your money. by Opportunist · · Score: 1

    Look at it, for it's as close as you'll ever get to it.

    I'm not going to pay you. Instead, this money goes to whoever brings me your head. I don't care what he does with the rest. I only need your head.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. U.S government by Anonymous Coward · · Score: 1

    and its lackeys most likely behind this. The typical cyber-criminals are pro-privacy, while the U.S gov is the fiercest opponent to it.

  15. Never pay ransom by tompaulco · · Score: 1

    Never pay ransom.Never pay bribes. Never pay blackmailers. You are honest. They are not. You have no guarantee they will do what they say, they will use your honesty and your reputation against you to continue to suck even more money out of you. You will also make the list of targets who will pay, and will be hit again and again.
    Charities and Volunteer organizations also use the same tactics.

    --
    If you are not allowed to question your government then the government has answered your question.
  16. Idiots. by ledow · · Score: 1

    I've just mugged you for your wallet.

    "Give me your phone and I'll give you your wallet back."

    Yeah. Right.