A couple of days ago, on the blog where it is documenting its fight against DDoS attackers, secure email service ProtonMail explained that it had paid a $6000 ransom to attackers:
At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. Attacks against infrastructure continued throughout the evening and in order to keep other customers online, our ISP was forced to stop announcing our IP range, effectively taking us offline. The attack disrupted traffic across the ISP’s entire network and got so serious that the criminals who extorted us previously even found it necessary to write us to deny responsibility for the second attack.
I must admit, I wasn’t terribly impressed.
Now ProtonMail appears to have updated its blog post (the differences bolded by me):
At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it taking into the consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.
Good.
I’m pleased to see ProtonMail recognise it was a mistake to cave in to the DDoS blackmailers.
No-one should ever pay internet extortionists.
By the way, another secure email service – Runbox – reports that it too has been suffering from DDoS attacks, by a group who demanded money be paid for the site to remain online.
To its credit, Runbox was adamant that no ransom would be paid:
Although DDoS attacks are something all providers of Internet services can expect to deal with at some time or other we should be clear that they are a criminal act, and demanding payment to prevent them is extortion. Runbox will never pay to prevent such attacks, and anyone who does pay helps create a market for these groups.
…
If you are an email provider, or a provider of any online service, never give in to extortion. Doing so will only strengthen and embolden the criminals, and the next attack might be worse.
It’s a similar story from Neomailbox, who say that they have also been contacted by DDoS blackmailers:
We will absolutely NOT negotiate with criminals and are working to restore full services as soon as possible. We apologize for any inconvenience caused as a result of this attack, and thank you for your understanding and support.
Well said Runbox. Well said Neomailbox.
At the time of writing, ProtonMail’s website is inaccessible.
I believe that the coming months will see a rise in criminals attempting to extort money from businesses – either through DDoS attacks or threatening to release sensitive data that they have hacked from poorly secured systems.
Hold on tight, it’s going to be a bumpy ride…
I wonder if ProtonMail will help pay the ransom of someone else similarly extorted down the road.
(I'm pleased about their recognition of their mistake, but I am still very angry.)
I can sympathize with ProtonMail's desire to be responsive to their customers and quickly end the DDoS attack, but they blew it, and they know it. They missed an opportunity to instruct their customers (as well as their ISP, and all the other third parties who were affected by the DDoS attack), who obviously didn't already know that rewarding extortionists simply breeds more extortion.
So, maybe—in the long run—it will prove to be a good thing that ProtonMail paid the first ransom demand. Perhaps their mistake will help to hammer the lesson home. I can think of no more compelling example to illustrate the principle that caving in to cyber-crooks doesn't work.
Of course, that's a lesson only educable people can learn. Anyone who still thinks that paying criminals is a solution is doomed to learn the hard way that it's a success-proof response to extortion demands.