Encrypted email service ProtonMail is back online today following a crippling six-day attack that saw the company’s ISPs and data centers under siege.
Operators behind the service said the site may not always be reachable, as its servers are still under heavy strain and mitigating attack, and that it’s looking for donations to prevent its infrastructure from going offline again.
According to ProtonMail, the attack began almost a week ago, on Nov. 3, after it received a blackmail email from a band of cybercriminals. The group, the Armada Collective, gained notoriety earlier this fall after it hit several high profile targets, mostly based in Switzerland, with DDoS attacks. While the group carries out a quick attack, it also attempts to extort money from the targets, usually via Bitcoin, with an email “Ransom request: DDOS ATTACK!”
While the first attack online only took Protonmail offline for 15 minutes, each subsequent attack — one the next morning, and one the following afternoon – intensified.
“Around 2 p.m., the attackers began directly attacking the infrastructure of our upstream providers and the data center itself,” ProtonMail wrote in a statement summing up the attacks so far, last Thursday.
The attack on ProtonMail’s ISP peaked at 100 Gbps and eventually brought it down, along with hundreds of other companies that also used it, and a company data center.
> We are again under extremely heavy attack, site may not always be reachable as defenses are under strain. We are fighting back. > > — ProtonMail (@ProtonMail) November 9, 2015
Perhaps the most interesting aspect of the attack is that ProtonMail agreed to pay a Bitcoin ransom to help alleviate the stress on its ISP. The service claims it was mostly due to pressure from third parties in Zurich and Frankfurt that were also being affected by the attack and losing ‘hundreds of thousands of Swiss Francs in damages.’
Some of the other blackmail schemes carried out by the collective demanded between 10 BTC and 20 BTC, or $3767 and $7535 US.
While ProtonMail didn’t state how much they paid the attackers, they did acknowledge that it was the wrong thing to do, as the attacks continued regardless.
> One of our engineers has just left Geneva, Switzerland to bring critical hardware to our datacenter to stop the attack against us. (1/2) > > — ProtonMail (@ProtonMail) November 7, 2015
> It is a perilous 4 hour night drive into the mountains. With him go the hopes and best wishes of many. (2/2) > > — ProtonMail (@ProtonMail) November 7, 2015
Officials from ProtonMail claim they’ve been working with GovCERT, the Swiss Governmental Computer Emergency Response Team, and CYCO, the Cybercrime Coordination Unit of Switzerland in the wake of the attack. After conferring with another group, MELANI, the information assurance division of the Swiss government, ProtonMail notes that there were really two attacks, one on its IP addresses, and another, separate group of attackers targeting specific weaknesses in its infrastructure.
> At 3AM today, after 3 days of hard work, we beat the attackers who tried to deny us our human right to privacy. We thank all who helped us. > > — ProtonMail (@ProtonMail) November 8, 2015
It’s unclear whether the two entities were working together – ProtonMail declined to give too much information about the groups – but it does note that the second group “exhibited capabilities more commonly possessed by state-sponsored actors.”
The service claims its in the middle of implementing a “comprehensive long term solution” to thwart future attacks, but is looking to better fortify its infrastructure in the meantime through a crowdsourced Defense Fund.
“We are confident that with your support, we can overcome this attack and come back stronger than ever, and continue to provide a place where online privacy is protected.”