Lesson Learned from ProtonMail Incident: Do Not Pay Cybercriminals

End-to-end encryption email service ProtonMail learned a costly lesson about cyber ransom tactics: just because hackers demanded a ransom, it doesn’t mean the attacks are going to stop once you pay up. The email service, with users ranging from journalists to whistleblowers, paid the ransom of 15 Bitcoins (around US $6,000) in an attempt to end a crippling distributed denial of service (DDoS) attack. However, paying the ransom didn’t quell the attackers, prompting the email provider to issue a statement that they “will never pay another ransom.”

ProtonMail received a message on November 3rd from hackers who recently carried out a number of DDoS attacks across Switzerland. The message was then followed by an attack (believed to be from the group called the Armada Collective, which has been responsible for extortion of several private email services), that flooded ProtonMail’s IP addresses and knocking the service offline for approximately 15 minutes. By 2 p.m. the next day, the attackers struck the infrastructure of its data center and upstream providers. The coordinated attack has consequently impacted other companies. In their blog post, the company was said to be “placed under a lot of pressure by third parties to just pay the ransom.” In the hopes of alleviating the effects on companies caught up in the attacks against ProtonMail, they did pay up—but the attacks continued nonetheless, suggesting that another group was involved.

Through further examination of the DDoS attack, ProtonMail learned that there were two separate groups behind the attack stages, with the latter stage (suspected to be state-sponsored) designed to cause large-scale damage.

As ProtonMail resorted to paying the ransom, effectively straining its finances, they now have launched a crowdfunding campaign to prevent future attacks, estimated around $100,000 worth of annual security solutions against complex attacks. At the time of writing, ProtonMail is back online and has raised $50,000 in just three days after they initiated the defense fund.

There isn’t a surefire formula to stop every DDoS attack. Just like any other attack, cybercriminals have varied their attack vectors depending on their motives. Sometimes, a malicious actor can deploy a DDoS attack to create a diversion while going for more valuable data. Any company that has an online presence should be wary of these attacks, especially since being a target also means putting its users at risk. Being prepared for an attack still beats shuffling around trying to deal with a threat. Helpful mitigation techniques include updating all of your systems, having a contingency plan in case things go south, and, of course, educating employees to raise their awareness about various tricks and schemes.

If there’s any major takeaway from this ProtonMail incident, it’s that you don’t want to encourage cybercriminals by paying them. In such a way, you’re funding their activities and even encouraging more attacks by negotiating.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.