Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security Communications Encryption The Internet

Pro-Privacy Webmail ProtonMail Pays Ransom, But Hit By DDoS Attack Anyway (wordpress.com) 101

An anonymous reader writes: The new pro-privacy, pro-encryption webmail service ProtonMail has been under a sustained DDoS attack since November 3. They received a ransom demand a few days ago, along with a brief demonstration of how effective the DDoS attack was. They were advised to pay the ransom, and they complied. Unfortunately, the attackers launched the DDoS anyway. Here's a quote from their press release:

"Through MELANI (a division of the Swiss federal government), we exchanged information with other companies who have also been attacked and made a few discoveries. First, the attack against ProtonMail can be divided into two stages. The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us."

This discussion has been archived. No new comments can be posted.

Pro-Privacy Webmail ProtonMail Pays Ransom, But Hit By DDoS Attack Anyway

Comments Filter:
  • Thanks, idiots (Score:5, Insightful)

    by Opportunist ( 166417 ) on Friday November 06, 2015 @07:14PM (#50880755)

    The attackers want to thank all the people who are too stupid and lazy to protect their machines against being part of a botnet. Without your aid, this would not have been possible.

    • Yeah well, an appliance shouldn't be so easy to hack. And automatic updates shouldn't cause so many breakdowns, even if it is good for the repair/cleanup business. Computers are still not ready for prime time. They are way too frail. The word "robust" doesn't enter the picture.

    • by Anonymous Coward

      The blame should fall on programmers not users.

    • The attackers want to thank all the people who are too stupid and lazy

      stupid or lazy, actually.

  • by idontgno ( 624372 ) on Friday November 06, 2015 @07:18PM (#50880773) Journal

    "Millions for defense, but not one cent for tribute."

    -- Robert Goodloe Harper

    • isn't it "penny" instead of "cent"?
    • by Anonymous Coward

      In practice, paying the tribute is more cost-effective than dying. But if you RTFS you'd know the problem most likely isn't that paying off didn't work, but that only one of the attackers wanted money:

      ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors.

      Protonmail can't outspend the US government.

  • by s.petry ( 762400 ) on Friday November 06, 2015 @07:28PM (#50880805)

    I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals. Call Law enforcement, and make arrangements with companies that mitigate these attacks? Absolutely, and the latter may cost a few bucks. But paying out a blackmail threat is about as foolish as it gets.

    Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth. The most unlucky of that bunch ended up raped, or dead.

    Never trust a criminal! If their morality allows them to bend you over once, somehow believing they won't do it twice is completely irrational.

    • I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals. Call Law enforcement, and make arrangements with companies that mitigate these attacks? Absolutely, and the latter may cost a few bucks. But paying out a blackmail threat is about as foolish as it gets.

      Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth. The most unlucky of that bunch ended up raped, or dead.

      Never trust a criminal! If their morality allows them to bend you over once, somehow believing they won't do it twice is completely irrational.

      It's about incentives. If the criminal fails to honor the payment too much, people stop paying. The amount of harm to the company also goes up, as does the interest of major law enforcement task forces. That's why ransomware operators send you keys and private corporations are frequently willing to pay ransoms. But people with a major presence whose operations will be strongly hurt by allowing criminal operations to continue--most obviously the United States Government when dealing with terrorism--are m

      • It's about incentives. If the criminal fails to honor the payment too much, people stop paying. The amount of harm to the company also goes up, as does the interest of major law enforcement task forces. That's why ransomware operators send you keys and private corporations are frequently willing to pay ransoms. But people with a major presence whose operations will be strongly hurt by allowing criminal operations to continue--most obviously the United States Government when dealing with terrorism--are much less likely to pay.

        Yes, but criminals are criminals, and as such are selfish. If they get the money and do the DDoS, then they have made their money and to heck with anybody else (including themselves later, but hey, they're criminals, so they don't think that far ahead).

    • by Anonymous Coward

      Quite possibly law enforcement told them to pay the ransom. It's easier to follow the money than determine the true source of a DDoS attack.

      • by Anonymous Coward

        Quite possibly law enforcement told them to pay the ransom.

        Indeed. For example, the FBI is on record as recommending that CryptoWall victims pay the ransom as a best practice.

    • by Anonymous Coward

      Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth.

      Are you suggesting that one should fight a mugger because they're likely to attack you anyway? Do you have any evidence of this? My personal experience of family+friends is two or three "give me your money". In every case, they've handed it over - including the physically powerful ones who might have been able to overcome an attacker - and the mugger has just run off. Employees of businesses are almost invariably advised to hand over money because it's not worth it.

      There are some good reasons to resist what

      • Re: (Score:2, Flamebait)

        <quote>
        <p>As to areas which allow you to carry a gun, if someone threatens you with a knife and you have a gun, you do have the option to take it out and hope there's not an accomplice behind you, of course. Again, the average citizen is not well trained.</p>
        </p></quote>

        You've probably heard the saying "Don't take a knife to a gun fight". Well the reverse also holds true; "Don't take a gun to a knife fight."

        At the ranges within which knife fights take place a gun is a liability
        • Re: (Score:2, Informative)

          by deKernel ( 65640 )

          Well, that might work for you, but I would suggest to everyone else that you ALWAYS take a gun to a knife fight if you want to win. I can have my gun out just as fast as some idiot can pull their knife out....PERIOD. Here is a hit, don't walk around oblivious to your surroundings, and you will always be in a position where your side arm (even concealed) can be accessed long before issues arise.

      • by s.petry ( 762400 )

        Are you suggesting that one should fight a mugger because they're likely to attack you anyway?

        You invented a statement that I never made, and then defended your fake argument with a personal anecdote. Topping that off, you claim I need to give citation when I never made a claim that a person should be fighting a mugger. YOU DID! What I did state is that believing you are not going to be harmed by a criminal because you gave in to their criminal demand is irrational. There is more than one option.

        And by way of personal anecdote I come from Detroit where giving a mugger money shows them that you

      • by KGIII ( 973947 )

        I got mugged once, years ago, on the outside of the swamp headed into Miami (just after alligator highway or whatever it's called - not the main route, the one south of it). The guy was nervous as fuck and carrying what appeared to be an unloaded Jennings .25. (I could not see the small tab that protrudes where the magazine goes but wasn't going to risk it.) Hell, it's a Jennings and a .25 - it might not even have fired.

        Anyhow, he was nervous as fuck and I talked to him calmly and gave him my money and not

      • by Anonymous Coward

        My personal experience of family+friends is two or three "give me your money".

        Then I'm glad I'm not in your family or one of your friends; they're apparently criminals.

    • I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals.

      Are lot of such criminals are nothing more than illegal commercial enterprises. They rely on some facts such as the trustworthyness that paying the ransom will resolve the issue. If they lose that then they lose their source of income.

      We're not talking about Anonymous here. These people do what they do for currency, not for lolz.

  • by Anonymous Coward

    As a protonmail user it's been nail-biting experience over the last few days.

    Protonmail was hit by state sponsored attacks disguised as BC ransom.

    Please consider donating.

    Thank you.

  • See Kipling on this.
    https://en.wikipedia.org/wiki/Danegeld
  • If target pays x to prevent attack, surely they'll pay x + y to stop it.

    . Dummies.

  • by istartedi ( 132515 ) on Friday November 06, 2015 @09:15PM (#50881207) Journal

    There is nothing to say on the matter of ransom ware that Rudyard Kipling [poetryloverspage.com] hasn't already said, with greater eloquence than I could muster. To reference another great saying, "millions for defense, not one penny for tribute".

  • by wheelbarrio ( 1784594 ) on Friday November 06, 2015 @09:41PM (#50881263)
    Lots of comments here about the foolishness of paying off criminals. Indeed. But in fact I tip my hat to ProtonMail for their clever strategy for illuminating the likely identity of their attackers. The thing is, when you pay off blackmailers they typically don't then carry through with the initial threat because that's bad business. They may make further demands based on their new knowledge of you being an easy mark, but to carry out the initially threatened action after being paid simply sends the message to you and other potential targets that paying is a waste of money because the threat will be carried out anyway. The profile of the target (encrypted email service) alone combined with analysis of the second attack as having the hallmarks of a state actor would suggest a three-letter agency. The fact that they got hit after paying just clinches it.
  • by Idimmu Xul ( 204345 ) on Friday November 06, 2015 @09:53PM (#50881287) Homepage Journal

    This sets a precedent now so everyone knows not to pay hostage money to people that threaten DDOS attacks as they don't follow through honorably.

    • by gweihir ( 88907 )

      Incidentally, this may just cut down on the part of the problem created by common criminals. Their "business opportunity" just vanished. Now we mainly have to worry about state-sponsored and employed terrorists, like certain employees of the NSA, GCHQ, Chinese and Russian intelligence, etc.

    • This sets a precedent now so everyone knows not to pay hostage money to people that threaten DDOS attacks as they don't follow through honorably.

      There were evidently two groups of attackers. Quite possibly one stopped and the other one wasn't after money to start with.

  • Why would you pay? (Score:2, Informative)

    by Anonymous Coward

    The self-righteousness of slashdot know-it-alls sucks.

    Protonmail made it quite clear, the ISP and carrier made them pay after the whole datacenter with hundreds of other customers went down. It's not like they did not know that you should not pay. But if you are close to being put out on the street, you reassess your policies.

    DDoS protection against this size of attack is expensive and it is obvious that a provider of secure email can not simply hand out the ssl key to a CDN. If you want to make sure the ne

  • by dnaumov ( 453672 ) on Saturday November 07, 2015 @06:09AM (#50882279)

    They didn't just decide to pay the ransom of their own volition. They were pressured into it by third parties who were suffering major economic losses due to the attack. Their ISP was basically taken offline, along with all of their other business customers.

  • Look at it, for it's as close as you'll ever get to it.

    I'm not going to pay you. Instead, this money goes to whoever brings me your head. I don't care what he does with the rest. I only need your head.

  • by Anonymous Coward

    and its lackeys most likely behind this. The typical cyber-criminals are pro-privacy, while the U.S gov is the fiercest opponent to it.

  • Never pay ransom.Never pay bribes. Never pay blackmailers. You are honest. They are not. You have no guarantee they will do what they say, they will use your honesty and your reputation against you to continue to suck even more money out of you. You will also make the list of targets who will pay, and will be hit again and again.
    Charities and Volunteer organizations also use the same tactics.
  • I've just mugged you for your wallet.

    "Give me your phone and I'll give you your wallet back."

    Yeah. Right.

Feel disillusioned? I've got some great new illusions, right here!

Working...