In November 2015, ProtonMail, a Switzerland-based encrypted email service, faced a significant cyberattack that tested its resilience and policies. The incident began with a Distributed Denial of Service (DDoS) attack that overwhelmed ProtonMail's servers, rendering the service inaccessible to its users.
The Initial Attack and Ransom Demand
On November 3, 2015, ProtonMail received a ransom demand from a group identifying themselves as the Armada Collective. They threatened to continue the DDoS attack unless a payment of 15 Bitcoins (approximately $6,000 at the time) was made. The attack not only affected ProtonMail but also disrupted services for other companies sharing the same data center and internet service providers. Under pressure from these third parties to restore services, ProtonMail decided to pay the ransom in hopes of halting the attack.
Continued Attacks and Escalation
Despite the payment, the DDoS attacks persisted and escalated in sophistication. ProtonMail's infrastructure, as well as its upstream providers, were targeted, leading to widespread service disruptions. The company noted that the second wave of attacks exhibited capabilities more commonly associated with state-sponsored actors, suggesting that multiple groups might have been involved.
Response and Future Measures
In the aftermath, ProtonMail publicly acknowledged that paying the ransom was a mistake, stating that it would not succumb to such demands in the future. The company collaborated with the Swiss Governmental Computer Emergency Response Team (GovCERT), the Cybercrime Coordination Unit Switzerland (CYCO), and Europol to investigate the attacks. To bolster its defenses, ProtonMail initiated a defense fund to implement advanced DDoS protection measures, estimating the cost at around $100,000 per year.
Lessons Learned
The ProtonMail incident underscores the challenges organizations face when dealing with cyber extortion. It highlights the importance of robust cybersecurity measures and the potential consequences of yielding to ransom demands. The case serves as a cautionary tale for other entities, emphasizing the need for preparedness and resilience against sophisticated cyber threats.
