ProtonMail back up after paying ransom to cyber-criminals [Update]
Cyber-criminals and state-backed actors blamed as secure email firm says improvements to prevent similar attacks will cost $100,000 per year
ProtonMail, the Geneva-based encrypted email service that had been taken offline since Tuesday 3 November by what the company described as an "extremely powerful DDoS attack", is now back online as of this evening, the firm having paid a ransom. However, it believes it was attacked by two separate entities, one criminal and the other state-backed.
In a blog, the company explains that it was obliged to pay a ransom of the Bitcoin equivalent of $6,000 because other companies that use the same ISPs as ProtonMail were also being affected by the attack, described as "quite unprecedented in size and scope".
ProtonMail said it initially recieved a ransom demand around midnight on Tuesday shortly before the initial attacks began. The next attack occurred at 11 o'clock Wednesday morning, at which point the company's data centre and its upstream provider took steps to mitigate it.
"However, within the span of a few hours, the attacks began to take on an unprecedented level of sophistication," the blog says.
"At around 2pm, the attackers began directly attacking the infrastructure of our upstream providers and the datacenter itself. The coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes."
It continues: "This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail."
"At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30pm Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless."
ProtonMail believes that two separate parties were involved. First a criminal gang, and second a state-sponsored actor.
"Through MELANI (a division of the Swiss federal government), we exchanged information with other companies who have also been attacked and made a few discoveries. First, the attack against ProtonMail can be divided into two stages. The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated."
The company believes it was deliberately targeted because it offers end-to-end encrypted email.
"It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us," it says.
"...it is clear that online privacy has powerful opponents," ProtonMail adds, announcing the launch of a defence fund to strengthen its systems against similar attacks, improvements which are likely to cost in the region of $100,000 per year.
Update: Friday 06 November 9:30 - ProtonMail has been knocked offline again in a further attack. The company tweeted:
Join us in London for our Enterprise Security & Risk Management Summit on 26 November. Registration is free for most delegates.