Comment by Matheus28
10 years ago
That's really not smart. By paying it up you just incentive them to do it more often. Not only to yourself but to other websites.
10 years ago
That's really not smart. By paying it up you just incentive them to do it more often. Not only to yourself but to other websites.
This is the first case I've seen where a digital blackmailer didn't follow through with their promise. It's bad for business for them to renege as it increases the chance that their next victim wont pay.
I have no idea how to verify the statements, but I found some comments on the blockchain.info page for the bitcoin address regarding the DoS. It is supposedly from the blackmailers: https://blockchain.info/address/1FxHcZzW3z9NRSUnQ9Pcp58ddYaS...
"Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!" "We have no such power to crash data center and no reason to attack ProtonMail any more!" "WE DO NOT HAVE THAT POWER! NOT EVEN CLOSE!" "We are not attacking ProtonMail! Our attack was small, directed at their IP only and lasted 15 minutes only!"
I don't believe Protonmail have said they have received any more requests for money, so that would go along with the above. I agree that it was silly to pay the blackmailers, but there is some reason to believe that these are two separate attacks.
Verified. ProtonMail received no additional requests for money. And, those are the attackers' words. The original attackers claim they stopped. They hit many other Swiss companies and stopped after they were paid, as well. They are screwed now (and seem to be panicking a bit) because the size of the secondary attack was enough to knock a portion of Swiss internet infrastructure off line, anger some high profile businesses (including banks), anger the Swiss Government, and cause the matter to become a high profile case for Europol.
The original DDoSers actually did honor the ransom and stop their attack. However, another group started hitting them after the ransom was paid. Probably because they just advertised themselves as people who will reward DDoS attacks.
Of course. That's what any clever criminal would do, if they pay up once chances are they'll pay up again. My ISP was hit like this a few months ago and sent out an email outlining the situation to their customers before the second wave began to give us a heads up and very clearly stated they had absolutely no intention of paying whatever would happen and that's the only acceptable stance and I as their customer fully supported them in this decision and would have left if they had decided otherwise.
Props to cloudflare for standing by to help out in that particular instance, absolutely fantastic.
The article states that it was most likely two different attackers, due to the different methods used and the blackmailer denying responsibility for the comtinued (unsophisticated) attack.
I'm not sure what to think, but I can easily understand why they did pay. It's easy for others to say what would be best for the industry, but when you are the one suffering and your ISP is angry at you, and you can pay a small sum to (possibly) make the problem go away, your opinion will change.
From what it seems, there were two DDoSers. The ones they paid to, did stop DDoSing, but the other one is unknown and is still doing it. The first one did contact them and tell them that they had already stopped DDoSing.
I think the most likely scenerio is actually that the blackmailers are outsourcing the DDOSing so there was a communication delay and/or there is some latency/delay when issuing commands to the botnet.
But if it buys you time to upgrade your infrastructure it could be worth it.
It's never worth it. For $6k you can get actual protection for some time before you upgrade your infrastructure.
For a site the size of ProtonMail, $6K is the cost for protection for a single month. Most of the companies that offer this kind of protection require you to sign a one to three year contract.
There are two kinds of protection, basic HTTP/HTTPS and DNS only (done with DNS and CDN like servers co-located at peering points), and traffic filtering that is done through BGP with and a GRE tunnel. While you can get basic HTTP/HTTPS and DNS from CloudFlare for $200/month on a business account, what ProtonMail needed was a BGP/GRE which at it's lowest price is a multiple and an order of magnitude more expensive.
Isn't Cloudfare around $2,000 a month with no data caps for high-end package with $50 a month for low end? I know reasons why some people avoid them but I figure there's a similar service in Switzerland that just costs a bit more. That might be what they're referring to for $100,000. I'm curious.
Paying ransom is never worth the long-term costs. Once you've proven to the criminal that you're someone who will pay, they usually try again in the future because you're an easy mark.
Not only that, there is a power imbalance that shouldn't be ignored: the criminal has more experience in these kinds of confrontations than you do. Sam Harris has a very good article on this topic[1]; while he is discussing violent interactions on a personal level (e.g. mugging), the principles apply to many situations. The short version is that the criminal is trying to draw you onto their turf and to play by their rules. Almost always you will only make your situation worse when you let the criminal set the rules.
[1] http://www.samharris.org/blog/item/the-truth-about-violence
> Paying ransom is never worth the long-term costs.
I am amazed about how many people are making this claim confidently in this thread. It's clearly wrong. Very, very often it's definitely worth the cost, because very often you will never see the same criminal again. Consider:
"Don't pay ransoms, because (1) you'll get extorted again once the criminal knows you're an easy mark and (2) if everyone always refuses to pay, criminals will have no incentives to try and extort."
versus
"Don't pay muggers, because (1) you'll get mugged again once the mugger knows you're an easy mark and (2) if everyone always refuses to pay muggers, muggers will have no incentive to mug."
Yes there are cases, like if you're the government, where you are very long-lived and your reputation is reliable such that having a stated, followed policy of not being extorted works. But for individuals, it's just not feasible most of the time. You probably won't see that mugger/extorter ever again, and it's very unlikely that most victims will refuse.
5 replies →
No, it's not worth it.