I can’t help but feel that ProtonMail has let down every company on the internet.
The Geneva-based encrypted email service has suffered a distributed denial-of-service (DDoS) attack this week, preventing its users from accessing their inboxes.
Understandably, their users weren’t happy to find that their email was inaccessible.
At first, the reasons for the DDoS attack – described as “unprecedented in size and scope” – were unclear, but yesterday the company confirmed that blackmailers were demanding $6000 worth of Bitcoin for the internet attack to stop.
And ProtonMail decided to pay up.
The coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes. This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.
At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. Attacks against infrastructure continued throughout the evening and in order to keep other customers online, our ISP was forced to stop announcing our IP range, effectively taking us offline. The attack disrupted traffic across the ISP’s entire network and got so serious that the criminals who extorted us previously even found it necessary to write us to deny responsibility for the second attack.
I do feel sorry for ProtonMail. We must not forget that they were the innocent victims of a crime, and there were clearly other innocent victims caught up in events too (ProtonMail’s users, the ISP, other companies who used the targeted data centre). But that doesn’t mean I agree with how ProtonMail responded.
@BigDeesDad Over 100 companies were taken offline from the attack against us. Impacted companies asked us to pay, we couldn't refuse.
— ProtonMail (@ProtonMail) November 5, 2015
This was extortion plain and simple. Something I’m expecting we are going to see even more of in the years to come – whether it be in the form of attacks impacting website availability or the stealing of data with the threat of making it available to the public.
But the only reason criminals attempt to blackmail money out of anyone is because they believe there is a reasonable chance that we will pay the ransom.
Don’t pay internet blackmailers. All you have done is told the extortionists that you will consider giving them money for their crimes, and there is no guarantee that they – or other criminals – won’t try it again and again and again.
Paying blackmailers is only going to encourage more attacks, and is making the internet a less safe place for all of us.
Opinions are divided as to whether ProtonMail had options other than paying the blackmailers. My view is that there is always another way.
@martijn_grooten Shut down. Change service provider. Get DDoS protection. Paying blackmailing DDoSers doesn't work
— Graham Cluley (@gcluley) November 5, 2015
In case you’re curious, at the time of writing (Friday morning, 8:48 am UK time), the ProtonMail website is inaccessible. One has to assume that it is under a DDoS attack. Whether that is being orchestrated by the attackers who originally blackmailed them or others, I couldn’t say.
The company has set up a defence fund, asking supporters to raise $50,000 to help it improve its infrastructure and fend off future attacks. So far, after 14 hours or so, it has raised in excess of $10,000.
Our ISP came under renewed DDoS attack this morning so we are offline again. We need your help to fight this: https://t.co/RnC8L99U0U
— ProtonMail (@ProtonMail) November 6, 2015