When confronted by a cyber-extortionist, do you pay the ransom or do you stand firm and not negotiate? It's both an ethical and a procedural dilemma.
By paying the ransom, in some respects, the victim is enabling and perhaps encouraging the extortionist to commit future acts since after all, if it worked once, it might well work again. In giving extortionists what they want, the general idea is that the victim will get back what they want and it could well be the quickest route to resolving a ransom situation.
But what if the victims pay the ransom, but still don't get what they want back?
That's what happened this week with Switzerland-based email service ProtonMail, which was hit by a distributed denial-of-service (DDoS) attack starting on Nov. 3. The attack was preceded by a blackmail email that warned of the attack. According to ProtonMail, the email came from criminals allegedly tied to multiple DDoS attacks across Switzerland.
The initial attack against ProtonMail took the site offline for 15 minutes, while the second attack, which started on Nov. 4, was more intense and sophisticated.
"The coordinated assault on our ISP exceeded 100G bps and attacked not only the data center, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes," ProtonMail wrote in a blog post. "This coordinated assault on key infrastructure eventually managed to bring down both the data center and the ISP, which impacted hundreds of other companies, not just ProtonMail."
At 3:30 Geneva time on Nov. 4, ProtonMail decided that enough was enough, it was suffering and so were others on its service provider. As such, ProtonMail paid the ransom (approximately $6,000) in Bitcoin.
"We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless," ProtonMail wrote. "This was clearly a wrong decision, so let us be clear to all future attackers—ProtonMail will NEVER pay another ransom."
So to recap, ProtonMail was extorted to pay a ransom to stop a DDoS attack; they paid and then they continued to be attacked.
I understand the imperative and the pressure that an organization would be under just to settle a situation and move on. It makes some sense from a straight line business perspective to just be done with the threat and move on, rather than continuing to be offline.
Then again, paying a digital ransom is only ever truly a short-term solution, isn't it? Even if the ProtonMail attackers had stopped the attack, what would have stopped them from doing it again a week, a month or a year later?
The best course of action is to have multiple layers of defense to mitigate the risk of DDoS in the first place. There are multiple providers—including VeriSign, Akamai and CloudFlare—that offer commercial DDoS protection services that can scale up to the largest attacks ever seen on the Internet. Having highly available back-ups also is crucial in cases where some form of ransomware encrypts data.
Hindsight, of course, is always 20/20, so it's easy to say what should have been done at this point. What's harder is to be prepared.
So let's hope that ProtonMail's story is a cautionary tale and inspires others to invest in DDoS protection and highly available backups, rather than paying protection fees to attackers.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.