Encrypted e-mail provider ProtonMail had been on the wrong end of a distributed denial of service (DDoS) campaign since November 3, and was forced to pay a ransom to the attackers to end the assault, the company said. The company described the campaign as “unprecedented in size and scope.”
Headquartered in Switzerland, ProtonMail said it received a ransom message Friday from a group of blackmailers that had struck a number of targets throughout that country in recent weeks. The attackers followed up on the threat with an attack that took ProtonMail’s service offline for 15 minutes, the company said.
The Swiss startup was launched earlier this year following a large crowdfunding campaign with the goal of providing PGP encryption to as wide a user base as possible to combat mass surveillance practices conducted by a number of countries. That objective puts it squarely in the crosshairs of groups like the National Security Agency that have been working to weaken or circumvent encryption tools.
The company said it has been working with the Swiss Governmental Computer Emergency Response Team, and the Cybercrime Coordination Unit Switzerland, as part of an ongoing criminal investigation being conducted in Switzerland with the assistance of Europol.
The perpetrators launched the attack in two stages, according to ProtonMail. The first stage was a volumetric attack, which only targeted the company’s IP addresses. The second stage was a more complex attack, which targeted weak points in the infrastructure of its ISP. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated.
The assault on the company’s ISP exceeded 100 Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, Germany and other locations where the ISP had nodes. The attack eventually managed to bring down the datacenter and the ISP, which impacted hundreds of other companies in addition to ProtonMail, the company said.
ProtonMail Pays Ransom
ProtonMail said that the two-pronged nature of the attack likely meant that it was under attack by two separate groups, with the second group of attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also indicated that the second group was not afraid of causing massive collateral damage to achieve its objective.
The company said it finally decided to pay the ransom to bring its service back online. Although it is no longer currently under attack, ProtonMail said it remains vulnerable if the hackers should decide to strike again. To defend itself against future attacks, the company said it will have to invest in costly countermeasures, and is launching a new fundraising campaign to help improve its defenses.
“We are fighting not just for privacy, but for the future of the Internet,” the company said in a blog post today. “We are confident that with your support, we can overcome this attack and come back stronger than ever, and continue to provide a place where online privacy is protected.”