Pro-Privacy Webmail ProtonMail Pays Ransom, But Hit By DDoS Attack Anyway

An anonymous reader writes: The new pro-privacy, pro-encryption webmail service ProtonMail has been under a sustained DDoS attack since November 3. They received a ransom demand a few days ago, along with a brief demonstration of how effective the DDoS attack was. They were advised to pay the ransom, and they complied. Unfortunately, the attackers launched the DDoS anyway. Here's a quote from their press release:

"Through MELANI (a division of the Swiss federal government), we exchanged information with other companies who have also been attacked and made a few discoveries. First, the attack against ProtonMail can be divided into two stages. The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us."

Thanks, idiots

[Opportunist]

The attackers want to thank all the people who are too stupid and lazy to protect their machines against being part of a botnet. Without your aid, this would not have been possible.

Re:

[fustakrakich]

Yeah well, an appliance shouldn't be so easy to hack. And automatic updates shouldn't cause so many breakdowns, even if it is good for the repair/cleanup business. Computers are still not ready for prime time. They are way too frail. The word "robust" doesn't enter the picture.

Re:

[Opportunist]

Not quite. It was just that computers were no longer "so expensive and such a big hassle to get online" that the cheap and lazy people got one.

Re:

[Opportunist]

The usual 90/10 rule applies. Are you willing to pay about ten times what you pay for your computer? Then a (nearly) 100% secure system is a possibility.

Else, the 90% you got will need patching. But that means that you have to accept the responsibility and actually patch the box.

Re:

[bmo]

Are you willing to pay about ten times what you pay for your computer?

Most security doesn't cost a penny, if you bother to learn.

It's the people who decide to remain ignorant about security that wind up paying lots more for insultants, insurance, and break-ins.

--
BMO

Re:

[Opportunist]

So we're back at "people being too stupid and lazy to protect their machines"?

Re:

[bmo]

"Trust in god but tie your camel." -- Some Arab Proverb That Probably Isn't Real But I Agree With.

"Trust but verify." -- Russian proverb adopted by St. Ronnie Raygun

"Park it and lock it! Not Responsible!!" -- Firesign Theatre

--
BMO

Re:

[Anonymous Coward]

The blame should fall on programmers not users.

Re:

[Opportunist]

If users were willing to pay what had to be paid for secure computers, we'd have them.

If computers could kill people, we'd have secure computers that cost about as much as a car does.

Re:Thanks, idiots

[alvinrod]

You can't stop someone who knowingly downloads and installs a program that compromises and takes over their machine. No amount of programming can fix that.

Re:

[hcs_$reboot]

The attackers want to thank all the people who are too stupid and lazy

stupid or lazy, actually.

Re:

[Opportunist]

Yes, one would do. Most of those numbnuts are both.

Re:

[Xenx]

and/or, people are more then capable of both.

How's that appeasement workin' out fer ya?

[idontgno]

"Millions for defense, but not one cent for tribute."

-- Robert Goodloe Harper

Re:

[turkeydance]

isn't it "penny" instead of "cent"?

Re:

[Chris Mattern]

Nope, although it's often misquoted that way: http://www.bartleby.com/73/804... [bartleby.com].

Re:

[Chris Mattern]

More appropriately:

And that is called paying the DDOS geld
But we've proved it again and again
That if once you have paid them the DDOS geld
You never get rid of the DDOS!

Re:

[tsm_sf]

Spot on. Here is the original for the interested:

It is always a temptation to an armed and agile nation
To call upon a neighbour and to say: --
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."

And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!

It is always a temptation for a rich and lazy nation,

Re:

[petteyg359]

More appropriately:

And that is called paying the DDOS geld But we've proved it again and again That if once you have paid them the DDOS geld You never get rid of the DDOS!

Perhaps you meant "guild"? Or are you really saying " the " (verb the verb)?

Re:

[Chris Mattern]

You need a better dictionary. "Geld" can also be a noun with a very different meaning, although that usage is a bit archaic.

Re:

[Anonymous Coward]

In practice, paying the tribute is more cost-effective than dying. But if you RTFS you'd know the problem most likely isn't that paying off didn't work, but that only one of the attackers wanted money:

ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors.

Protonmail can't outspend the US government.

Poor thought process

[s.petry]

I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals. Call Law enforcement, and make arrangements with companies that mitigate these attacks? Absolutely, and the latter may cost a few bucks. But paying out a blackmail threat is about as foolish as it gets.

Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth. The most unlucky of that bunch ended up raped, or dead.

Never trust a criminal! If their morality allows them to bend you over once, somehow believing they won't do it twice is completely irrational.

Incentives

[Etherwalk]

I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals. Call Law enforcement, and make arrangements with companies that mitigate these attacks? Absolutely, and the latter may cost a few bucks. But paying out a blackmail threat is about as foolish as it gets.

Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth. The most unlucky of that bunch ended up raped, or dead.

Never trust a criminal! If their morality allows them to bend you over once, somehow believing they won't do it twice is completely irrational.

It's about incentives. If the criminal fails to honor the payment too much, people stop paying. The amount of harm to the company also goes up, as does the interest of major law enforcement task forces. That's why ransomware operators send you keys and private corporations are frequently willing to pay ransoms. But people with a major presence whose operations will be strongly hurt by allowing criminal operations to continue--most obviously the United States Government when dealing with terrorism--are m

Re:

[tompaulco]

It's about incentives. If the criminal fails to honor the payment too much, people stop paying. The amount of harm to the company also goes up, as does the interest of major law enforcement task forces. That's why ransomware operators send you keys and private corporations are frequently willing to pay ransoms. But people with a major presence whose operations will be strongly hurt by allowing criminal operations to continue--most obviously the United States Government when dealing with terrorism--are much less likely to pay.

Yes, but criminals are criminals, and as such are selfish. If they get the money and do the DDoS, then they have made their money and to heck with anybody else (including themselves later, but hey, they're criminals, so they don't think that far ahead).

Re:

[Anonymous Coward]

Quite possibly law enforcement told them to pay the ransom. It's easier to follow the money than determine the true source of a DDoS attack.

Re:

[Anonymous Coward]

Quite possibly law enforcement told them to pay the ransom.

Indeed. For example, the FBI is on record as recommending that CryptoWall victims pay the ransom as a best practice.

Re:

[Anonymous Coward]

Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth.

Are you suggesting that one should fight a mugger because they're likely to attack you anyway? Do you have any evidence of this? My personal experience of family+friends is two or three "give me your money". In every case, they've handed it over - including the physically powerful ones who might have been able to overcome an attacker - and the mugger has just run off. Employees of businesses are almost invariably advised to hand over money because it's not worth it.

There are some good reasons to resist what

Re:

[myowntrueself]

<quote>
<p>As to areas which allow you to carry a gun, if someone threatens you with a knife and you have a gun, you do have the option to take it out and hope there's not an accomplice behind you, of course. Again, the average citizen is not well trained.</p>
</p></quote>

You've probably heard the saying "Don't take a knife to a gun fight". Well the reverse also holds true; "Don't take a gun to a knife fight."

At the ranges within which knife fights take place a gun is a liability

Re:

[myowntrueself]

May I introduce you to my friend the preview button? Comes free with every Slashdot post.

Yeah I know, I'd set it to extrans for a post the other day and forgotten to switch it back and missed the obvious on preview.

My point still stands though!!

Re:

[deKernel]

Well, that might work for you, but I would suggest to everyone else that you ALWAYS take a gun to a knife fight if you want to win. I can have my gun out just as fast as some idiot can pull their knife out....PERIOD. Here is a hit, don't walk around oblivious to your surroundings, and you will always be in a position where your side arm (even concealed) can be accessed long before issues arise.

Re:

[JustAnotherOldGuy]

I knive doesn't run out of bullets

Yes, but you can't use a knife on someone 20 feet away, especially while they're shooting at you.

Re:

[myowntrueself]

I knive doesn't run out of bullets

Yes, but you can't use a knife on someone 20 feet away, especially while they're shooting at you.

When you are literally eyeball to eyeball my money would be on the knife. Way faster, doesn't need to be particularly aimed, has multiple attack vectors ie isn't only lethal in one direction. Even an unskilled person with a knife can be devastating at close quarters (look for youtube videos of frenzied stabbing attack vs martial artist).

Re:

[JustAnotherOldGuy]

When you are literally eyeball to eyeball my money would be on the knife.

If you managed to get that close after being shot repeatedly, then I'd knife you.

Re:

[myowntrueself]

When you are literally eyeball to eyeball my money would be on the knife.

If you managed to get that close after being shot repeatedly, then I'd knife you.

Your scenario of an assailant who starts off at sufficient distance for your firearm to be useful resembles something like confirmation bias...

Re:

[s.petry]

Are you suggesting that one should fight a mugger because they're likely to attack you anyway?

You invented a statement that I never made, and then defended your fake argument with a personal anecdote. Topping that off, you claim I need to give citation when I never made a claim that a person should be fighting a mugger. YOU DID! What I did state is that believing you are not going to be harmed by a criminal because you gave in to their criminal demand is irrational. There is more than one option.

And by way of personal anecdote I come from Detroit where giving a mugger money shows them that you

Re:

[KGIII]

I got mugged once, years ago, on the outside of the swamp headed into Miami (just after alligator highway or whatever it's called - not the main route, the one south of it). The guy was nervous as fuck and carrying what appeared to be an unloaded Jennings .25. (I could not see the small tab that protrudes where the magazine goes but wasn't going to risk it.) Hell, it's a Jennings and a .25 - it might not even have fired.

Anyhow, he was nervous as fuck and I talked to him calmly and gave him my money and not

Re:

[Anonymous Coward]

My personal experience of family+friends is two or three "give me your money".

Then I'm glad I'm not in your family or one of your friends; they're apparently criminals.

Re:

[thegarbz]

I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals.

Are lot of such criminals are nothing more than illegal commercial enterprises. They rely on some facts such as the trustworthyness that paying the ransom will resolve the issue. If they lose that then they lose their source of income.

We're not talking about Anonymous here. These people do what they do for currency, not for lolz.

Talk is cheap

[Anonymous Coward]

As a protonmail user it's been nail-biting experience over the last few days.

Protonmail was hit by state sponsored attacks disguised as BC ransom.

Please consider donating.

Thank you.

Danegeld

[YrWrstNtmr]

See Kipling on this.
https://en.wikipedia.org/wiki/Danegeld

Logic...

[wbr1]

If target pays x to prevent attack, surely they'll pay x + y to stop it.

. Dummies.

Dane Geld

[istartedi]

There is nothing to say on the matter of ransom ware that Rudyard Kipling [poetryloverspage.com] hasn't already said, with greater eloquence than I could muster. To reference another great saying, "millions for defense, not one penny for tribute".

Likely not criminals.

[wheelbarrio]

Lots of comments here about the foolishness of paying off criminals. Indeed. But in fact I tip my hat to ProtonMail for their clever strategy for illuminating the likely identity of their attackers. The thing is, when you pay off blackmailers they typically don't then carry through with the initial threat because that's bad business. They may make further demands based on their new knowledge of you being an easy mark, but to carry out the initially threatened action after being paid simply sends the message to you and other potential targets that paying is a waste of money because the threat will be carried out anyway. The profile of the target (encrypted email service) alone combined with analysis of the second attack as having the hallmarks of a state actor would suggest a three-letter agency. The fact that they got hit after paying just clinches it.

Really Bad Business Model

[Idimmu Xul]

This sets a precedent now so everyone knows not to pay hostage money to people that threaten DDOS attacks as they don't follow through honorably.

Re:

[gweihir]

Incidentally, this may just cut down on the part of the problem created by common criminals. Their "business opportunity" just vanished. Now we mainly have to worry about state-sponsored and employed terrorists, like certain employees of the NSA, GCHQ, Chinese and Russian intelligence, etc.

Re:

[sociocapitalist]

This sets a precedent now so everyone knows not to pay hostage money to people that threaten DDOS attacks as they don't follow through honorably.

There were evidently two groups of attackers. Quite possibly one stopped and the other one wasn't after money to start with.

Why would you pay?

[Anonymous Coward]

The self-righteousness of slashdot know-it-alls sucks.

Protonmail made it quite clear, the ISP and carrier made them pay after the whole datacenter with hundreds of other customers went down. It's not like they did not know that you should not pay. But if you are close to being put out on the street, you reassess your policies.

DDoS protection against this size of attack is expensive and it is obvious that a provider of secure email can not simply hand out the ssl key to a CDN. If you want to make sure the ne

They were pressured into paying

[dnaumov]

They didn't just decide to pay the ransom of their own volition. They were pressured into it by third parties who were suffering major economic losses due to the attack. Their ISP was basically taken offline, along with all of their other business customers.

Here is your money.

[Opportunist]

Look at it, for it's as close as you'll ever get to it.

I'm not going to pay you. Instead, this money goes to whoever brings me your head. I don't care what he does with the rest. I only need your head.

U.S government

[Anonymous Coward]

and its lackeys most likely behind this. The typical cyber-criminals are pro-privacy, while the U.S gov is the fiercest opponent to it.

Never pay ransom

[tompaulco]

Never pay ransom.Never pay bribes. Never pay blackmailers. You are honest. They are not. You have no guarantee they will do what they say, they will use your honesty and your reputation against you to continue to suck even more money out of you. You will also make the list of targets who will pay, and will be hit again and again.
Charities and Volunteer organizations also use the same tactics.

Idiots.

[ledow]

I've just mugged you for your wallet.

"Give me your phone and I'll give you your wallet back."

Yeah. Right.