Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pro-Privacy Webmail ProtonMail Pays Ransom, But Hit By DDoS Attack Anyway (wordpress.com)

Posted by Soulskill on from the lesson-learned dept.

An anonymous reader writes: The new pro-privacy, pro-encryption webmail service ProtonMail has been under a sustained DDoS attack since November 3. They received a ransom demand a few days ago, along with a brief demonstration of how effective the DDoS attack was. They were advised to pay the ransom, and they complied. Unfortunately, the attackers launched the DDoS anyway. Here's a quote from their press release:

"Through MELANI (a division of the Swiss federal government), we exchanged information with other companies who have also been attacked and made a few discoveries. First, the attack against ProtonMail can be divided into two stages. The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us."

12 of 101 comments (clear)

  1. Thanks, idiots by Opportunist · · Score: 4, Insightful

    The attackers want to thank all the people who are too stupid and lazy to protect their machines against being part of a botnet. Without your aid, this would not have been possible.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Thanks, idiots by alvinrod · · Score: 3, Insightful

      You can't stop someone who knowingly downloads and installs a program that compromises and takes over their machine. No amount of programming can fix that.

  2. How's that appeasement workin' out fer ya? by idontgno · · Score: 4, Insightful

    "Millions for defense, but not one cent for tribute."

    -- Robert Goodloe Harper

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
    1. Re:How's that appeasement workin' out fer ya? by tsm_sf · · Score: 2

      Spot on. Here is the original for the interested:

      It is always a temptation to an armed and agile nation
          To call upon a neighbour and to say: --
      "We invaded you last night--we are quite prepared to fight,
          Unless you pay us cash to go away."

      And that is called asking for Dane-geld,
          And the people who ask it explain
      That you've only to pay 'em the Dane-geld
          And then you'll get rid of the Dane!

      It is always a temptation for a rich and lazy nation,
          To puff and look important and to say: --
      "Though we know we should defeat you, we have not the time to meet you.
          We will therefore pay you cash to go away."

      And that is called paying the Dane-geld;
          But we've proved it again and again,
      That if once you have paid him the Dane-geld
          You never get rid of the Dane.

      It is wrong to put temptation in the path of any nation,
          For fear they should succumb and go astray;
      So when you are requested to pay up or be molested,
          You will find it better policy to say: --

      "We never pay any-one Dane-geld,
          No matter how trifling the cost;
      For the end of that game is oppression and shame,
          And the nation that pays it is lost!"

      - Rudyard Kipling

      --
      Literalism isn't a form of humor, it's you being irritating.
  3. Poor thought process by s.petry · · Score: 5, Insightful

    I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals. Call Law enforcement, and make arrangements with companies that mitigate these attacks? Absolutely, and the latter may cost a few bucks. But paying out a blackmail threat is about as foolish as it gets.

    Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth. The most unlucky of that bunch ended up raped, or dead.

    Never trust a criminal! If their morality allows them to bend you over once, somehow believing they won't do it twice is completely irrational.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:Poor thought process by KGIII · · Score: 2

      I got mugged once, years ago, on the outside of the swamp headed into Miami (just after alligator highway or whatever it's called - not the main route, the one south of it). The guy was nervous as fuck and carrying what appeared to be an unloaded Jennings .25. (I could not see the small tab that protrudes where the magazine goes but wasn't going to risk it.) Hell, it's a Jennings and a .25 - it might not even have fired.

      Anyhow, he was nervous as fuck and I talked to him calmly and gave him my money and not my wallet. He said just give me your wallet and I told him that I could not do that but that I'd give him my cash. Meh... It was pretty tame, really. I was more calm than he was. I'd say, if you're getting mugged then, by all means, pay up but remain calm. Chances are they're scared. I'm not worried about someone who's holding a firearm and pointing it at me with seriousness. I'm worried about the idiot who's pointing a firearm vaguely in my direction and is scared. The first one would have already shot me, the second one is quite likely to screw the whole situation up. Just stay calm and give them the money.

      There's more to the story but that's the gist of it. It was over in what felt like a few minutes but was probably closer to just one minute. Time seems to slow and you get hyper-alert. My first thought was to attempt to disarm them and then I realized that would be a terribly stupid thing to do. The last thing I wanted to do was cause a scene which would make them nervous or, worse, turn a mugging into a hostage situation or, worse, get someone else hurt. If someone were threatening to DDoS a service or extort money then I'd probably either let the cops follow the money or I'd put a notice up on the page saying something along the lines that service will likely be disrupted because $group expects us to be cowards. I'd rather prorate customer bills than be subjected to blackmail in the future and it's not likely to be a life and death situation or anything.

      --
      "So long and thanks for all the fish."
  4. Incentives by Etherwalk · · Score: 2

    I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals. Call Law enforcement, and make arrangements with companies that mitigate these attacks? Absolutely, and the latter may cost a few bucks. But paying out a blackmail threat is about as foolish as it gets.

    Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth. The most unlucky of that bunch ended up raped, or dead.

    Never trust a criminal! If their morality allows them to bend you over once, somehow believing they won't do it twice is completely irrational.

    It's about incentives. If the criminal fails to honor the payment too much, people stop paying. The amount of harm to the company also goes up, as does the interest of major law enforcement task forces. That's why ransomware operators send you keys and private corporations are frequently willing to pay ransoms. But people with a major presence whose operations will be strongly hurt by allowing criminal operations to continue--most obviously the United States Government when dealing with terrorism--are much less likely to pay.

  5. Dane Geld by istartedi · · Score: 2

    There is nothing to say on the matter of ransom ware that Rudyard Kipling hasn't already said, with greater eloquence than I could muster. To reference another great saying, "millions for defense, not one penny for tribute".

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  6. Likely not criminals. by wheelbarrio · · Score: 5, Insightful

    Lots of comments here about the foolishness of paying off criminals. Indeed. But in fact I tip my hat to ProtonMail for their clever strategy for illuminating the likely identity of their attackers. The thing is, when you pay off blackmailers they typically don't then carry through with the initial threat because that's bad business. They may make further demands based on their new knowledge of you being an easy mark, but to carry out the initially threatened action after being paid simply sends the message to you and other potential targets that paying is a waste of money because the threat will be carried out anyway. The profile of the target (encrypted email service) alone combined with analysis of the second attack as having the hallmarks of a state actor would suggest a three-letter agency. The fact that they got hit after paying just clinches it.

  7. Really Bad Business Model by Idimmu+Xul · · Score: 4, Interesting

    This sets a precedent now so everyone knows not to pay hostage money to people that threaten DDOS attacks as they don't follow through honorably.

    --
    The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
  8. Why would you pay? by Anonymous Coward · · Score: 2, Informative

    The self-righteousness of slashdot know-it-alls sucks.

    Protonmail made it quite clear, the ISP and carrier made them pay after the whole datacenter with hundreds of other customers went down. It's not like they did not know that you should not pay. But if you are close to being put out on the street, you reassess your policies.

    DDoS protection against this size of attack is expensive and it is obvious that a provider of secure email can not simply hand out the ssl key to a CDN. If you want to make sure the next attack is hit with the visor down and the defense in place, then go and support their defense fund, so they are no longer tempted to pay.

  9. They were pressured into paying by dnaumov · · Score: 2

    They didn't just decide to pay the ransom of their own volition. They were pressured into it by third parties who were suffering major economic losses due to the attack. Their ISP was basically taken offline, along with all of their other business customers.