Ransom attacks likely to fade as small email providers resist

12.11.2015
The spate of cyberattacks against email providers is likely to pass with time as they refuse to pay ransoms. But that doesn't mean the attacks haven't cost them.

Since early this month, the list of companies that have been attacked has grown longer: first ProtonMail of Switzerland, followed by HushMail, RunBox, VFEmail, Zoho and FastMail of Australia.

The companies have typically received extortion requests by email asking for 10 or 20 bitcoins in exchange for not being subjected to distributed denial-of-service (DDoS) attacks.

DDoS attacks involve sending a large amount of data traffic to a company's network, causing the service to choke and go offline.

Email is a tough business these days. Smaller providers face competition from mega-companies such as Google, Microsoft and Yahoo, so profit margins from offering premium services can be thin.

That's in part why service disruptions can be harmful. Email services also face more challenges in defending their systems, said Rob Mueller, a director at FastMail in Melbourne.

DDoS attacks over the Web using the HTTP (Hypertext Transfer Protocol) can filtered out using proxy services. The attack traffic flows to a third party, such as a DDoS mitigation service, before it goes to the service provider.

But that technique can't be used for email protocols such as SMTP, IMAP and POP, which can't be proxied in the same way as HTTP web traffic, Mueller said.

There's another solution. An email company needs to have access to 256 IP addresses, known as a class C IP block. The block of addresses can then be used to spread out the attack to that ISP's various points of presence.

The bad traffic can then be scrubbed out, and the good traffic is sent using the GRE (Generic Routing Encapsulation) protocol to the email provider, Mueller said.

But that fix isn't cheap and can cost up to US$10,000 a month. It's what makes email providers "the perfect target for a shakedown," Mueller said in a phone interview. 

By making the ransom less than $10,000, the attackers are sort of hoping that paying a ransom will be a cheaper, albeit short term, option.

It worked one time with ProtonMail. Faced with an escalating attack that affected its ISP and other companies, it paid a ransom. Later, it acknowledged that paying was the wrong move.

FastMail was asked to pay a ransom of 20 bitcoins -- about $6,800 -- before the attacks began around Sunday, Mueller said.

"Just out of principle, we would never pay," he said.

FastMail's ISP, NYI, already had capabilities in place through partners to mitigate the attacks, and it only experienced a mild disruption, Mueller said. FastMail blogged about its experience earlier this week.

Eventually, Mueller thinks those behind the attacks and copycat ones will just move on, as defenses are strengthened and companies refuse to pay.

"The main people making the money will be the DDoS defense providers," he said. "All the attempts to extort money will fail. Most people won't pay."

Jeremy Kirk

Zur Startseite