ProtonMail, an open-sourced encrypted mail service founded by MIT and Stanford engineers at the CERN research facility, has suffered from a series of extremely powerful DDoS attack from unknown hackers, which took ProtonMail offline for almost 24 hours.
Over the past three days, the ProtonMail team has been working with the Swiss Governmental Computer Emergency Response Team (GovCERT) and the Cybercrime Coordination Unit Switzerland (CYCO) in a criminal investigation to analyze the cyberattack and the blackmails sent after the first DDoS attack on November 3.
“Slightly before midnight on November 3rd, 2015, we received a blackmail email from a group of criminals who have been responsible for a string of DDOS attacks, which have happened across Switzerland in the past few weeks,” the ProtonMail team stated.
At midnight, ProtonMail servers were compromised and taken down for approximately 15 minutes. The attack stopped for a few hours, allowing the ProntonMail data center and upstream provider to mitigate the attack and improve its DDoS protection. However, at around 11 AM the next morning, the service was hit by cyberattacks on “an unprecedented level of sophistication,” leaving no choice for the team but to pay the ransom.
According to the GovCERT report, several tech firms including ProtonMail were extorted for a 20BTC ransom to be paid to the same bitcoin address.
A section of the blackmail read:
“Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help. Prevent it all with just 20 BTC.”
Due the increasing number of complaints from its users, the ProntonMail paid the ransom and requested the hackers to stop the DDoS attacks immediately. However, the attacks continued nonetheless, forcing Protonmail’s ISP to terminate their IP range, taking the platform offline.
“The attack disrupted traffic across the ISP’s entire network and got so serious that the criminals who extorted us previously even found it necessary to write us to deny responsibility for the second attack,” wrote the ProtonMail team.
As a response, the team decided to implement a sophisticated long-term DDoS protection service to fight off attacks of this size and sophistication. According to ProtonMail, such service costs around US$100,000 annually, a large sum of money for a two-year old startup.
Today, ProtonMail launched its own Defense Fund, to finance the implementation of the DDoS protection solution.
“Over the years we have faced pressure from laws, government agencies, and others. Now for the first time, DDOS attacks are being employed to stop us from protecting privacy. This fight will not be easy, but it is one that we must win,” said ProtonMail co-founder Andy Yen.