It’s been a busy few days here at Radware.
Our Emergency Response Team (ERT) has been closely monitoring a series of DDoS-for-Ransom attack campaigns that have targeted email service providers. These attacks are unique for several reasons, besides their strength and complexity. They came from multiple sources including a new group, The Armada Collective, and the attackers sent their targets threatening emails demanding ransom or else a prolonged attack would be launched.
Companies like ProtonMail, Neomailbox, VFEmail, Hushmail, Fastmail, Zoho, and Runbox, known for secure and private email hosting, have recently all seen Denial-of-Service (DoS) attacks launched against their networks. There could be a number of reasons why their email services have been attacked – the combination of a large user base coupled with the fear of losing users if their service was knocked out for a prolonged period is a good place to start.
ProtonMail, a web-based encrypted email service, was hit the hardest with a series of Advanced Persistent DoS (APDoS) attacks. These attacks exceeded 100Gbps, assaulted numerous attack vectors, and resulted in ProtonMail losing availability for a number of days. In short, the set of sophisticated and high-volume attacks took them offline. After retaining Radware’s services, we were able to successfully mitigate the attacks and return availability back to their user base.
“In order to mitigate the DDoS attack against us, we partnered with Radware, one of the world’s premier DDoS protection companies. In Radware, we found a solution that was capable of protecting ProtonMail without compromising email privacy. Given the magnitude of the attack we faced, we knew that we would have to work with the best, and Radware’s BGP redirection solution fit our requirements. During our hour of need, there were many companies who attempted to charge us exorbitant amounts, but Radware offered their services at a very reasonable price in order to get us online as soon as possible. With Radware DefensePipe, we were finally able to mitigate the attack on ProtonMail.”
– Andy Yen, CEO of ProtonMail
In a strange turn of events, Runbox saw their ransom demand reneged by the attackers, as they noted today:
“The initial threats and attacks that attempted to extort money were withdrawn by the attackers on Saturday morning, when they offered an apology.”
Extortion group like DD4BC and The Armada Collective can present serious issues for your network. SMTP attacks are on the rise. It’s suggested that email service providers take these threats seriously and deal with them in the proper way. Also other services like SIP, FTP and other layer 7 protocols should consider reviewing their network to insure they are prepared for such an attack. You can expect these campaigns to continue and other groups to appear with the same mode of operation.