First ProtonMail, now Zoho hit by DDoS attack by criminal gang Armada Collective

Armada Collective criminal gang also behind recent attacks on banks, online firms and other email providers

A criminal group calling itself Armada Collective is reportedly behind a series of distributed denial of service (DDoS) attacks that have seen the cloud-based email, office suite and CRM provider Zoho taken offline repeatedly over the past few days. This is the same group that initiated an attack against Swiss secure email provider ProtonMail last week.

"We're facing a criminal cyber-attack called a DDoS (Distributed Denial of Service) aimed at denying access to genuine users of our services. Updates are available at https://blogs.zoho.com/service-updates and we're also posting on our @Zoho Twitter handle," Zoho says in its blog.

In the latest update, posted at 06:50 Pacific Time (14:50 GMT) on 9 November, the blog says:

"Due to relentless attacks we have taken emergency counter measures. Part of this is to reroute traffic and data, through additional network hops to filter out the attack. This added complexity is making service access unstable and slow for customers. We are working on it as we speak."

Security expert Graham Cluley reports that the group attacking Zoho is the same criminal gang, called Armada Collective, that sent a ransom note to ProtonMail before initiating a wave of attacks against it. ProtonMail paid a ransom in bitcoin of $6,000 to the attackers, but that did not stop the surge in traffic crashing its servers and those of its ISPs. The secure email provider believes it was also subsequently attacked by state-backed actors, since the methodology and level of sophistication changed.

Zoho has said it will not pay the attackers what they are demanding.

Cluley reports that prior to ProtonMail, Armada Collective had previously struck at the webhosts of other Swiss online firms and financial institutions, as well as four Thai banks, demanding a ransom in each case.

Other email services have also been hit by similar tactics since 5 November including Hushmail, Neomailbox, VFEmail and Runbox, all of whom have insisted they will not pay.