The Australian email provider FastMail was hit with a distributed denial-of-service (DDoS) attack on Sunday, Nov. 8, accompanied by an extortion note that the attacks would continue unless they paid a $7,500 ransom. The company said in a blog post Nov. 11 that it would refuse to be extorted, and to expect disruptions in service as the attacks continue.
“We do not respond to extortion attempts, and we will not pay these criminals under any circumstances,” FastMail wrote. “
We have dealt with DDoS attacks before, and have recently been strengthening our defenses to deal with such issues.”
A string of email services have suffered from DDoS attacks and blackmail attempts in the past week, including Runbox, Zoho, Hushmail, and the earliest victim, the Swiss-based ProtonMail. Some of the attacks are believed to originate from a hacker group called the Armada Collective.
An advisory from the Swiss Governmental Computer Emergency Response Team on Oct. 22 said that the group targets its victims with a demo DDoS attack from 300Mbit/s up to 15GBit/s for half an hour, then sends a ransom note for 10 bitcoins laced with the threat of larger attacks.
On Nov. 4, a day after the first attack, ProtonMail paid a ransom of 15 bitcoins, around $6,000 at the time, to the Armada Collective. The attacks paused, then continued on a larger scale, with data-centers forced to go offline. The Armada Collective denied responsibility for the second attack, and ProtonMail said that the magnitude of the attack suggested that “state-sponsored actors” were involved.
“Given the sophistication of the attack used by the second group, we believe they may have been preparing their attack against us for some time,” ProtonMail said in a blog post. “After seeing the first attack, they chose to strike immediately afterward in the hopes that they would not be discovered as being a separate attacker.”
ProtonMail said that the cost of defensive solutions against the second attack could be upward of $100,000 and that it will later publish a detailed report on the attacks.
DDoS attacks are coordinated efforts to take down websites with floods of traffic from a botnet, a swarm of computers that have been hijacked and are used without the knowledge of its owner.
Though crude, DDoS attacks remain an effective tool in the hacker’s arsenal, with the problem often exacerbated by manufacturers that unintentionally leave a backdoor for hackers.
Last week, Austrian security firm SEC Consult published data that suggested that 600,000 Internet routers made their customers easy pickings for hackers by having remote administration access switched on by default.
ProtonMail is the only victim of the recent bout of attacks to disclose it paid ransom to the attackers. In addition to FastMail, Zoho has also declared that it was targeted for extortion, but the company hasn’t commented on whether it would pay or not.