
ProtonMail pays $6k ransom, gets taken out by DDoS anyway - lisper
http://arstechnica.com/security/2015/11/crypto-e-mail-service-pays-6000-ransom-gets-taken-out-by-ddos-anyway/
======
jacquesm
NEVER EVER PAY RANSOM MONEY.

Please. Even if your business will suffer it will suffer a _lot_ more if you
do pay since now it is known you'll cave. Also: you are making the problem
larger for others.

~~~
hocuspocus
From their blog:
[https://protonmaildotcom.wordpress.com/](https://protonmaildotcom.wordpress.com/)

 _At around 2PM, the attackers began directly attacking the infrastructure of
our upstream providers and the datacenter itself. The coordinated assault on
our ISP exceeded 100Gbps and attacked not only the datacenter, but also
routers in Zurich, Frankfurt, and other locations where our ISP has nodes.
This coordinated assault on key infrastructure eventually managed to bring
down both the datacenter and the ISP, which impacted hundreds of other
companies, not just ProtonMail._

 _At this point, we were placed under a lot of pressure by third parties to
just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to
the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. This was a collective
decision taken by all impacted companies, and while we disagree with it, we
nevertheless respected it taking into the consideration the hundreds of
thousands of Swiss Francs in damages suffered by other companies caught up in
the attack against us. We hoped that by paying, we could spare the other
companies impacted by the attack against us, but the attacks continued
nevertheless. This was clearly a wrong decision so let us be clear to all
future attackers – ProtonMail will NEVER pay another ransom._

~~~
jacquesm
They put their customers in charge of the company? This gets weirder all the
time. The problem is that they asked their customers in the first place. They
should have simply communicated the fact that they would be under attack
shortly _and_ indicate that they would _never ever pay a red cent_.

That would give their customers time to batten the hatches and/or migrate off
the system for the time being while sending a clear signal that they would not
pay anyway.

This is a tough situation to be in but putting your customers in control of
the company (and in a democratic way no less) is not the solution. What about
those customers that decided (rightly imo) against paying?

Companies such as these should have an up-front item in their terms of service
indicating that they would never pay a ransom, that way they would be clear to
both their customers _and_ their potential attackers.

~~~
paxtonab
"This was a collective decision taken by all impacted companies"

I think they were put under pressure by other companies using the same IPS,
not their customers.

~~~
jacquesm
That's even weirder. They have obligations to their customers _not_ to their
neighbors in the same DC, that's the territory of whoever handles their
hosting.

~~~
perennate
The datacenter is not going to be happy if they are offline due to attacks
targeting one of their customers. The datacenter has an obligation to their
customers, and if that means cutting off ProtonMail so that other customers
stay online, then that's what the datacenter has to do. Then, ProtonMail is
under pressure to pay the ransom fee to avoid having services terminated by
the datacenter.

~~~
eric-hu
This is a risk the datacenter exposes their customers to by nature of how they
operate. It's a major selling point to me that AWS employs some more
sophisticated countermeasures to attacks like these. If their typical response
to ransom requests was "you need to consider how you're impacting our
business", I would take my business elsewhere.

~~~
CookieMon
> I would take my business elsewhere.

Great in theory, but surely nobody "elsewhere" will host you securely if
hosting you means all their other customers get hosed.

"the attack against ProtonMail can be divided into two stages. The first stage
is the volumetric attack which was targeting just our IP addresses. The second
stage is the more complex attack which targeted weak points in the
infrastructure of our ISPs. This second phase has not been observed in any
other recent attacks on Swiss companies and was technically much more
sophisticated. This means that ProtonMail is likely under attack by two
separate groups, with the second attackers exhibiting capabilities more
commonly possessed by state-sponsored actors. It also shows that the second
attackers were not afraid of causing massive collateral damage in order to get
at us."

Protonmail could just be talking this up, but if your ISP's (or AWS's) fancy
countermeasures don't deal with this, why would they keep you? And why would
any other ISP want or accept your business?

------
zzleeper
Loved the comment at the bottom:

'So basically ProtonMail said "We're incompetent and fund criminals… give us
money."'

~~~
Matheus28
There's another good one:

"ProtonMail should apply for a refund. Or at least store credit."

------
nkurz
It seems like the largest threat to the "ransom seeking industry" is for the
public to come to believe that paying the the ransom will do no good.
Sometimes, such as in cases like this, it becomes publicly known that a ransom
is sought before it is paid. An interesting aspect of a Bitcoin ransom is that
third parties can verify that a ransom was paid.

Would it be in the legitimate interest of the public as a whole for a third
party (possibly governmental) to carry through on the threat as soon as the
ransom is paid? This would be to the detriment of the victim, but reduce the
likelihood that future ransoms would be paid, and thus eventually might reduce
the number of future victims.

Might that be what's happened here?

~~~
jacquesm
That's an interesting angle, but if traced to the source that source would
still be 100% on the hook for any and all fall-out from such an attack and I
really wonder if any government entity would be willing to sign off on such a
vaccination service.

~~~
stingraycharles
It doesn't necessarily have to be a government, things like this probably
attract more vigilante "Anonymous" type of people anyway.

------
if_by_whisky
Vigilante solution: You could automatically send a ransom request any time you
see a company getting DDOS'd by an attacker. If the attacker is also asking
them for a ransom (so the company gets two ransoms), you ensure confusion and
that the attacker doesn't get paid. Otherwise, you might get paid while the
attack happens.

This way:

(1) companies that pay ransoms are AWLAYS punished and it never causes an
attack to stop (2) no attacker ever gets paid a ransom

------
geofft
I suspect, sadly, this is why Gmail and sites like it will continue to win.
Secure email always sounds like a good thing, but it's less important in
practice than accessible email. If you have to make a choice between
confidentiality, integrity, and availability, for day-to-day email, very few
people will choose anything other than availability.

(The email deliverability problem doesn't help matters, of course.)

~~~
awqrre
an email server doesn't need to be accessible 100% of the time to guarantee
deliverability

~~~
vabmit
Protonmail's e-mail servers were off line for multiple days. With an outage of
that length mail will start to bounce. It depends on the local configuration.
But, 3 days/72 hours is pretty standard.

~~~
awqrre
That length of down-time is unacceptable for any type of connection.... even
for residential. But at least I guess that the senders will know that the
emails bounced.

------
nickpsecurity
There's regular security solutions then there's those meant to stop High
Strength Attackers. I warned ProtonMail's team and infrastructure wouldn't
handle the latter. I was expecting stealth 0-days, though, given there's DDOS
mitigations available. That they went down due to DDOS was a bit of a
surprise.

"Cost estimates for these solutions are around $100,000 per year since there
are few service providers able to fight off an attack of this size and
sophistication. These solutions are expensive and take time to implement, but
they will be necessary because it is clear that online privacy has powerful
opponents."

No shit lol... Not a good sign that they're already in reactive mode. On other
end, that MyKolab hasn't gone down might mean they're already compromised or
just not targeted by this attack. I wonder what it is. They're just a GPG
carrier in a semi-neutral jurisdiction in my usage, though. ProtonMail
would've been, too, but I figured they'd be more likely to have service
issues.

~~~
vskarine
You mentioned that you warned ProtonMail's team about High Strength Attackers.
What else did you warn them about? What other security flaws do they have in
your opinion?

~~~
nickpsecurity
I warned others about them. I rarely warn projects any more because my
associates and I have done that until we were blue in the face with little
effort. My MO is to just post good stuff in forums that attract talent so they
might see and adopt it. In any case, I posted a write-up on what real security
is and what goes into it on Schneier's blog in response to a [false] comment
saying secure coding is all you need. Here's the Pastebin of it:

[http://pastebin.com/y3PufJ0V](http://pastebin.com/y3PufJ0V)

Here's a specific example where I try to make a step-by-step guide for high
assurance Tor without knowing its internals. Just drew on my prior work:

[https://www.schneier.com/blog/archives/2014/09/identifying_d...](https://www.schneier.com/blog/archives/2014/09/identifying_dre.html#c6678915)

Hope what High Assurance Security takes is more clear now. Unless you get
lucky (eg GPG), you need high assurance to resist TLA's successfully and that
might just be delaying inevitable. Still need monitoring & tamper-detection.

------
khalidmbajwa
I belong to a minority community in Pakistan target of regular state backed
oppression.In addition to violence and flagrant discrimination the community
representatives are also targets for abductions. The community has a rule.It
never pays ransom to the kidnappers because this sets a precedent and exposes
the representatives all over the country to even more kidnappings. This
strategy while it may seem brutal is a necessary one and over the years
kidnappings for ransom has gone down. Again, computer security is different,
but the principle is same, you dont want to send out the message 'We'll give
you money to make you go away' because it just goads even more to resort to
such tactics.

~~~
eru
See eg
[http://blogs.telegraph.co.uk/news/colinfreeman/100251070/dav...](http://blogs.telegraph.co.uk/news/colinfreeman/100251070/david-
cameron-wants-a-global-ban-on-ransom-payments-as-a-former-hostage-i-think-hes-
wrong/)

------
Matheus28
That's really not smart. By paying it up you just incentive them to do it more
often. Not only to yourself but to other websites.

~~~
onewaystreet
This is the first case I've seen where a digital blackmailer didn't follow
through with their promise. It's bad for business for them to renege as it
increases the chance that their next victim wont pay.

~~~
eadz
I have no idea how to verify the statements, but I found some comments on the
blockchain.info page for the bitcoin address regarding the DoS. It is
supposedly from the blackmailers:
[https://blockchain.info/address/1FxHcZzW3z9NRSUnQ9Pcp58ddYaS...](https://blockchain.info/address/1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y)

"Somebody with great power, who wants ProtonMail dead, jumped in after our
initial attack!" "We have no such power to crash data center and no reason to
attack ProtonMail any more!" "WE DO NOT HAVE THAT POWER! NOT EVEN CLOSE!" "We
are not attacking ProtonMail! Our attack was small, directed at their IP only
and lasted 15 minutes only!"

I don't believe Protonmail have said they have received any more requests for
money, so that would go along with the above. I agree that it was silly to pay
the blackmailers, but there is some reason to believe that these are two
separate attacks.

~~~
vabmit
Verified. ProtonMail received no additional requests for money. And, those are
the attackers' words. The original attackers claim they stopped. They hit many
other Swiss companies and stopped after they were paid, as well. They are
screwed now (and seem to be panicking a bit) because the size of the secondary
attack was enough to knock a portion of Swiss internet infrastructure off
line, anger some high profile businesses (including banks), anger the Swiss
Government, and cause the matter to become a high profile case for Europol.

------
rdl
The only thing worse than paying a ransom is publicly announcing you've paid a
ransom.

~~~
gozo
I guess by publicly announcing that they paid ransom that "didn't work" they
have slightly undermined the trust for ransom as a solution in cases like
this. So it might be correct from a game theory perspective, if you disregard
any decrease in trust for themselves that is.

------
mikegirouard
I'm reminded of a similar article on ransoms and FBI's strange advice to pay
up.

[https://news.ycombinator.com/item?id=10482242](https://news.ycombinator.com/item?id=10482242)

I think this is a good example of why this is bad advice.

~~~
meowface
Ransomware is a different scenario. With ransomware, if you have no backups
and absolutely need your files back, paying the ransom is the only sane
option. Of course, this can easily be prevented by taking frequent backups.

With a DDoS, there are almost no advantages to paying the ransom. Much better
to spend the money on DDoS mitigation instead, to help now and in the future.

Also, the FBI wasn't making an official statement. It was just an off-hand
remark from an agent, recommending technically ignorant people who desperately
want their files back to pay the ransom.

~~~
cm2187
In fact backups is not enough. It has to be offline backups, which raises the
bar quite a bit. Backing up to a network drive doesn't even help, and I am not
aware of any wildly used "write once-only" network drive capabilities.

~~~
meowface
Backup to an external hard drive that you only leave connected during the
backup, or a cloud service (ransomware could theoretically target these but so
far have not), or do a "pull-style" backup where the machine doesn't have
write access to the backup location.

------
mark_l_watson
No evidence given for it, but my first thought was to wonder is it was a
government not liking ProtonMail's encrypted email service,and taking them
down.

~~~
giancarlostoro
I mean, the day of SOPA blowing up when everyone was protesting what was
necessary to take down piracy websites they shut down megaupload and arrested
people across the world. My only question that day was: why doe we need SOPA
again?

------
shocks
Runbox have also been under DDoS ransom too [1], although they appear to have
handled it well because I haven't noticed any down time.

1: [https://blog.runbox.com/2015/11/ddos-attacks-on-
runbox/](https://blog.runbox.com/2015/11/ddos-attacks-on-runbox/)

------
donatj
God, why? That's utter incompetence. Never pay ransoms. This has highly
lowered my opinion of ProntoMail.

~~~
babuskov
I know you mistyped it, but ProntoMail really sounds cool.

~~~
brongondwana
All rights Reserved, Mailcentro, Inc Copyright © 2002-2013

(damn, it does sound like a cool domain)

------
snowy
Does any one know the technical details of the attack? The article simply
refers to it as 'highly advanced denial-of-service attacks'.

From the fact that it knocked off their upstream providers also means it was
probably just a simple volumetric attack like an NTP or DNS reflection attack.
These are relatively easy to defend against.

I work for an ISP that gets hit with 5 or 6 of these a week, but because of
the mitigation strategies we have in place our customers don't even notice...

~~~
cpncrunch
They say the attack "exceeded 100Gbps"
([https://protonmaildotcom.wordpress.com/](https://protonmaildotcom.wordpress.com/)).
I moved my server to OVH 6 months ago, and since then any DDoS attacks don't
affect me at all. OVH say they can handle up to 480Gbps of attacks, and people
are reporting that they are getting up to 90Gbps of DDoS attacks mitigated by
OVH without any problem. Their DDoS protection is completely free with any of
their dedicated servers.

I don't really understand the logic behind setting up with a Swiss datacenter
with zero (or very little) DDoS protection. It is pretty much guaranteed that
China will DDoS you if you are in any way involved in helping dissident
groups.

------
michaelbuckbee
I'm not recommending it, but it should be noted that this does sometimes work
as when Kim DotCom paid for the LizardSquad DDOS of XBox and PS4 networks to
be halted last Christmas: [https://torrentfreak.com/kim-dotcom-stops-xbox-and-
playstati...](https://torrentfreak.com/kim-dotcom-stops-xbox-and-playstation-
attacks-141226/)

~~~
JupiterMoon
Kim Dotcom gave a gift that could easily be revoked if the attacker had
continued attacking. Very different situation to giving cash (or bitcoin).

------
jusben1369
To pay or not to pay....the bigger story here is the implication a nation
state was involved.

~~~
jacquesm
That's purely speculative.

~~~
jusben1369
I did say implication

------
danlindley
It is possible that by paying the ransom, ProtonMail effectively financed its
own DDoS attack. That being send, I commend ProtonMail's transparency in this
situation, regardless of the seemingly negative reaction.

------
ymse
Cloudflare should have an emergency hotline for situations like this. Charge
half the ransom to handle the traffic for the duration of the attack. Offer
contract afterwards.

~~~
billmalarky
No, profiting in any way off blackmailers looks really bad...

Reminds me of when Uber had that surge pricing scandal during the Sydney
hostage crisis.

~~~
SolarNet
I think the OP meant it as a discount. (E.g. if cloudflare blocking the attack
would cost 10k (for 5 sites) for a month, offer a discount at half the ransom
(3k) for however long the attack lasts days).

~~~
billmalarky
Still too risky from a PR standpoint. It's the kind of corporate activity that
means well (truly) but can be interpreted negatively too easily.

Unfortunately the only safe play is to give away the service for free (for
duration of the attack). Which could be a solid marketing strategy,
cloudflare's price point is reasonable enough that many would stick with their
service even after the attack was over.

------
ThinkBeat
Quite a few companies do pay ransoms that is not unusual

In fact is 100% of people never paid a ransom the attacks would not be funded

Publicly speaking about paying ransoms is very unusual.

------
keehun
It seems like a similar DDOS knocked out FastMail last night for a little
while, although they returned to service very quickly (<30 min)

------
lifeformed
I don't understand why the attackers wouldn't stop? Why would they want to
build up a reputation of not being worth paying? If they were always true to
the word, then people would mostly always pay.

~~~
jacquesm
Different shark. Once there is blood in the water there'll be more.

------
jexe
this article is great, in a way. People pay ransoms with extreme agony, but
because they are supposed to be effective. If they don't work, there goes the
only reason to pay. this is exactly the article the DDoSers don't ever want to
see written about them.

~~~
Drdrdrq
I wonder if the second attack was trying to punish them for paying, and a
warning to others?

------
blondie9x
Honestly maybe they could have hired security consultants for a comprable fee?
Fireye etc

------
transfire
I hope they catch the culprits and put them in jail for thirty years.

~~~
cpncrunch
Good luck with putting Xi Jinping in jail :)

------
blondie9x
Wasn't able to get on site earlier at protonmail.ch

------
cft
Why couldn't they put it on Cloudflare?

~~~
vabmit
Because ProtonMail would have been required to give CloudFlare encryption keys
that would have 1) allowed CloudFlare to inject JavaScript to steal decryption
passwords and keys 2) Allowed CloudFlare to collect metadata on traffic for
individual users

ClouldFlare are a bunch of great guys. And, they wouldn't do any of that
unless they were delivered a National Security Letter forcing them to.

If ProtonMail signed up with CloudFlare, like HushMail did, ProtonMail would
have no way to know if these types of code modification attacks or metadata
collections were happening.

And, as people saw with Hushmail, since CloudFlare does not do SMTP proxying
(filtering/challenging) a DDoS could have still taken down ProtonMail's mail
servers offline. While CloudFlare allowed Hushmail to get it's website back
online, mail to my Hushmail account is currently delayed by several hours due
to DDoS of their mail servers.

From [https://hushmailstatus.com/](https://hushmailstatus.com/) :

"We're investigating reports of incoming and outgoing email delivery delays.
We'll update this page as more information becomes available."

------
hieudang9
lol, shame for you ProtonMail and Welcome to my blacklist

------
rcurry
It is always a temptation to an armed and agile nation To call upon a
neighbour and to say: -- "We invaded you last night--we are quite prepared to
fight, Unless you pay us cash to go away."

And that is called asking for Dane-geld, And the people who ask it explain
That you've only to pay 'em the Dane-geld And then you'll get rid of the Dane!

It is always a temptation for a rich and lazy nation, To puff and look
important and to say: -- "Though we know we should defeat you, we have not the
time to meet you. We will therefore pay you cash to go away."

And that is called paying the Dane-geld; But we've proved it again and again,
That if once you have paid him the Dane-geld You never get rid of the Dane.

It is wrong to put temptation in the path of any nation, For fear they should
succumb and go astray; So when you are requested to pay up or be molested, You
will find it better policy to say: --

"We never pay any-one Dane-geld, No matter how trifling the cost; For the end
of that game is oppression and shame, And the nation that pays it is lost!"

\- Rudyard Kipling

~~~
geofft
Poems by the man who romanticized the colonization of my grandparents' country
are always cool, but the logic doesn't hold up. If you're _not_ as well-armed
as the British Empire, and you very much do not have the resources to defeat
the Dane, it's nice that the end of the game is oppression and shame, but
you're going to lose well before you even get to endgame.

~~~
littletimmy
If you are talking about India, it wasn't a "country" before the British. It
was a mixture of disparate kingdoms and sultanates. Not to mention that before
the British, most of India was under Muslim colonizers i.e. the Mughals.

The Indians have always been a conquered people, it is only in the last 70
years that they have had freedom; you should thank the British for it.

~~~
akamaka
Your comment may be factual, but you could have skipped the "you should be
thankful" bit. It's quite a rude thing to say to someone you don't know.

~~~
zo1
That's not the context the OP used... It was: "you should thank", not "you
should be thankful". A very subtle difference, but in this case (to you), it's
the difference between offending and not.

~~~
akamaka
I think both wordings are rude, particularly because of the word "you". OP
doesn't know anything about his family's history. It's different from making a
general argument that talks about the benefit to the whole country.

