A secure-email firm, based in Switzerland, has paid a ransom of more than £3,600 after web attacks crippled its website. The hi-tech criminals behind the web attacks said the payment would stop the deluge of data hitting the site. But despite paying up, the web attacks continued, leaving Protonmail struggling to operate. It has now launched a fund-raising drive to raise cash to tackle any future attacks.
Protonmail did not respond to the message and, soon afterwards, was hit by what is known as a distributed denial of service (DDoS) attack. This tries to knock a server offline by bombarding it with more data than it can handle. Protonmail is a free, web-based, encrypted email service that needs its site up and running to serve customers. The first attack knocked out Protonmail for about 15 minutes and then stopped. A second attack the next day was much bigger and overwhelmed efforts by the email firm and its ISP to stop it.
"This co-ordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just Protonmail," it said on the blog. In a bid to halt the attack, Protonmail said it "grudgingly" paid the 15 bitcoin ransom.
[...]
Post-attack analysis suggests Protonmail was targeted in two phases, the company said. The first aided the ransom demand but the second was "not afraid of causing massive collateral damage in order to get at us".
Switzerland's national Computer Emergency Response Team (Cert), which helped Protonmail cope, said the attack was carried out by a cybercrime group known as the Armada Collective. This group has also targeted many other Swiss web companies over the last few weeks, the team said.
Related Stories
There is a particularly devious type of malicious software that locks users out of their own computer systems until an individual agrees to pay a ransom to the hackers. In these cases, the FBI has surprisingly suggested just ponying up the dough.
It's not the type of advice one would typically expected from the FBI, but that's exactly what was recommended by Joseph Bonavolonta, the assistant special agent in charge of the FBI's CYBER and Counterintelligence Program Boston office.
"The ransomware is that good," said Bonavolonta at the 2015 Cyber Security Summit in Boston, as quoted by Security Ledger. "To be honest, we often advise people just to pay the ransom."
Yeah, it's RT, but I did a search, and that or similar headlines popped up on dozens of news sites. I clicked a couple of them, and the stories match. Try this one,
https://thehackernews.com/2015/10/fbi-ransomware-malware.html
Personally, I can almost certainly afford to nuke and reinstall, unless they get my RAID array. Then - I'd have to think hard.
(Score: 3, Informative) by q.kontinuum on Saturday November 07 2015, @09:30AM
Both topics have only in common that they are online (as is quite much of our life nowadays) and about paying a ransom. Connecting the FBI recommendation to this email-provider story seemed to imply there was a confidentiality-breach at the mail provider (encrypting their servers to collect ransom for decryption implies read-access to the server in the first place), which tricked me into reading an otherwise rather boring piece of information.
DDoS attacks can't be completely prevented. A typical DDoS attack does not, as the article claims, just block the server by sending too much data; this would be costly for the attacker as well (by loading the bot-net heavily / requiring a huge bot-net). A typical website DDoS-attack is executed by sending small SYN packages and than not reacting on the ACK, thus forcing the server to keep an enormous amount of open sockets.
The first intuitive approach would be to blacklist IPs firing too many syn-requests but a SYN request can have a spoofed IP opening up this defens-mechannism to another type of even faster DDos-attack, by tricking it to block all IPs.
My knowledge might be outdated, so if my critique of the article was wrong, please correct me.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2, Informative) by Francis on Saturday November 07 2015, @02:41PM
I'm pretty sure that the article got the type wrong. I'm not sure anybody does those sorts of attacks any more because you can just stutter the response and use a fraction of a percent of the resources that the attacker is burning through. Something like that isn't terribly sustainable.
It's going to be something like firing off too many syn-requests. That initial connection isn't something that you can do much about. Whenever there's a request the computer has to address it, even if that's just to decide that it should be ignored with no further processing. Get enough of those and you start running low on resources and hit whatever you're limit for connections is.
(Score: 2, Disagree) by Nuke on Saturday November 07 2015, @10:06AM
They won't be getting any funds from me to hand on to crooks.
(Score: 1) by mrpg on Saturday November 07 2015, @02:41PM
"In order to defend against future attacks of this scale, we will need to utilize top-of-the-line solutions"
(Score: 1, Touché) by Anonymous Coward on Saturday November 07 2015, @10:48AM
The hundreds of millions of powned windoze boxen are what is creating this flood of traffic. Those wonderful botnetted DDOSers.
Thank you M$ for creating this mess. And thank you ISPs for doing nothing to fix it.
(Score: 2) by linkdude64 on Saturday November 07 2015, @11:09AM
and thank the NSA for creating (mandating) the backdoors?
(Score: 0) by Anonymous Coward on Saturday November 07 2015, @10:06PM
Nonsense, it's not the NSA's fault. Now Symantic threatening to sue for antitrust if MS secured their OS...
(Score: 0) by Anonymous Coward on Sunday November 08 2015, @02:37AM
you're a fool if you think this is where the majority of DDoS attacks are done by desktop PC's, a good portion of it is done by routers (shitty Asus, D-Link, Cisco, Linksys, whatever) routers with out of date firmware on them or default passwords, or worse yet, internet-accessible web management interfaces.
check out SSDP amplification attacks for one, Cloudflare has some interesting statistics on the matter.
(Score: 1, Informative) by Anonymous Coward on Saturday November 07 2015, @11:59AM
Runbox.com was hit with a DDOS two days ago. They did not pay the ransom.
(Score: 3, Informative) by mrpg on Saturday November 07 2015, @02:48PM
And neomailbox and runbox and vfemail
https://twitter.com/neomailbox [twitter.com]
https://blog.runbox.com/2015/11/new-ddos-attack-friday/ [runbox.com]
https://twitter.com/VFEmail [twitter.com]
(Score: 5, Interesting) by pTamok on Saturday November 07 2015, @07:04PM
So the big news, not reported on any mainstream news network, is that multiple providers of security enhanced email services have been targetted with sophisticated DDOS attacks - to the extent that some may be forced to stop operating as other companies using the same ISPs don't like the downtime they cause.
That's remarkably convenient for some people, and looks like an assault on liberty. By whom, I wonder. State actors have been mentioned.
I would find it difficult to believe a criminal organisation is behind it, as criminals like secure email.
I sincerely hope security enhanced email remains an option for people who need it.
(Score: 1, Interesting) by Anonymous Coward on Saturday November 07 2015, @08:22PM
As a ProtonMail user, I'm disappointed my donation went into the hands of botnet operators.
I can't fathom how someone can gain anything by attacking one of the few glimmers of hope we have in email service providers.
(Score: 2) by EQ on Sunday November 08 2015, @09:57AM
No bot net if there aren't compromised machines that serve as bots. Find the bots, force the ISPs to cut them off until they scan clean. If it's a multiple repeat offender, suspend it for a week, and if the abuse continues, eventually permaban the owner for contributory negligence. Stupidity that harms others should have a price