ProtonMail says it won’t ever again pay ransom to DDoS blackmailers

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

ProtonMail says it won't ever again pay ransom to DDoS blackmailers

A couple of days ago, on the blog where it is documenting its fight against DDoS attackers, secure email service ProtonMail explained that it had paid a $6000 ransom to attackers:

At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. Attacks against infrastructure continued throughout the evening and in order to keep other customers online, our ISP was forced to stop announcing our IP range, effectively taking us offline. The attack disrupted traffic across the ISP’s entire network and got so serious that the criminals who extorted us previously even found it necessary to write us to deny responsibility for the second attack.

I must admit, I wasn’t terribly impressed.

Sign up to our free newsletter.
Security news, advice, and tips.

Now ProtonMail appears to have updated its blog post (the differences bolded by me):

At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it taking into the consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.

Good.

I’m pleased to see ProtonMail recognise it was a mistake to cave in to the DDoS blackmailers.

No-one should ever pay internet extortionists.

RunboxBy the way, another secure email service – Runbox – reports that it too has been suffering from DDoS attacks, by a group who demanded money be paid for the site to remain online.

To its credit, Runbox was adamant that no ransom would be paid:

Although DDoS attacks are something all providers of Internet services can expect to deal with at some time or other we should be clear that they are a criminal act, and demanding payment to prevent them is extortion. Runbox will never pay to prevent such attacks, and anyone who does pay helps create a market for these groups.

If you are an email provider, or a provider of any online service, never give in to extortion. Doing so will only strengthen and embolden the criminals, and the next attack might be worse.

NeomailboxIt’s a similar story from Neomailbox, who say that they have also been contacted by DDoS blackmailers:

We will absolutely NOT negotiate with criminals and are working to restore full services as soon as possible. We apologize for any inconvenience caused as a result of this attack, and thank you for your understanding and support.

Well said Runbox. Well said Neomailbox.

At the time of writing, ProtonMail’s website is inaccessible.

I believe that the coming months will see a rise in criminals attempting to extort money from businesses – either through DDoS attacks or threatening to release sensitive data that they have hacked from poorly secured systems.

Hold on tight, it’s going to be a bumpy ride…


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

2 comments on “ProtonMail says it won’t ever again pay ransom to DDoS blackmailers”

  1. Jeffrey Goldberg

    I wonder if ProtonMail will help pay the ransom of someone else similarly extorted down the road.

    (I'm pleased about their recognition of their mistake, but I am still very angry.)

  2. Vito

    I can sympathize with ProtonMail's desire to be responsive to their customers and quickly end the DDoS attack, but they blew it, and they know it. They missed an opportunity to instruct their customers (as well as their ISP, and all the other third parties who were affected by the DDoS attack), who obviously didn't already know that rewarding extortionists simply breeds more extortion.

    So, maybe—in the long run—it will prove to be a good thing that ProtonMail paid the first ransom demand. Perhaps their mistake will help to hammer the lesson home. I can think of no more compelling example to illustrate the principle that caving in to cyber-crooks doesn't work.

    Of course, that's a lesson only educable people can learn. Anyone who still thinks that paying criminals is a solution is doomed to learn the hard way that it's a success-proof response to extortion demands.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.