Ransom attacks likely to fade as small email providers resist

Small email providers are a softer target for cybercriminals

The spate of cyberattacks against email providers is likely to pass with time as they refuse to pay ransoms. But that doesn't mean the attacks haven't cost them.

Since early this month, the list of companies that have been attacked has grown longer: first ProtonMail of Switzerland, followed by HushMail, RunBox, VFEmail, Zoho and FastMail of Australia.

The companies have typically received extortion requests by email asking for 10 or 20 bitcoins in exchange for not being subjected to distributed denial-of-service (DDoS) attacks.

DDoS attacks involve sending a large amount of data traffic to a company's network, causing the service to choke and go offline.

Email is a tough business these days. Smaller providers face competition from mega-companies such as Google, Microsoft and Yahoo, so profit margins from offering premium services can be thin.

That's in part why service disruptions can be harmful. Email services also face more challenges in defending their systems, said Rob Mueller, a director at FastMail in Melbourne.

DDoS attacks over the Web using the HTTP (Hypertext Transfer Protocol) can filtered out using proxy services. The attack traffic flows to a third party, such as a DDoS mitigation service, before it goes to the service provider.

But that technique can't be used for email protocols such as SMTP, IMAP and POP, which can't be proxied in the same way as HTTP web traffic, Mueller said.

There's another solution. An email company needs to have access to 256 IP addresses, known as a class C IP block. The block of addresses can then be used to spread out the attack to that ISP's various points of presence.

The bad traffic can then be scrubbed out, and the good traffic is sent using the GRE (Generic Routing Encapsulation) protocol to the email provider, Mueller said.

But that fix isn't cheap and can cost up to US$10,000 a month. It's what makes email providers "the perfect target for a shakedown," Mueller said in a phone interview. 

By making the ransom less than $10,000, the attackers are sort of hoping that paying a ransom will be a cheaper, albeit short term, option.

It worked one time with ProtonMail. Faced with an escalating attack that affected its ISP and other companies, it paid a ransom. Later, it acknowledged that paying was the wrong move.

FastMail was asked to pay a ransom of 20 bitcoins -- about $6,800 -- before the attacks began around Sunday, Mueller said.

"Just out of principle, we would never pay," he said.

FastMail's ISP, NYI, already had capabilities in place through partners to mitigate the attacks, and it only experienced a mild disruption, Mueller said. FastMail blogged about its experience earlier this week.

Eventually, Mueller thinks those behind the attacks and copycat ones will just move on, as defenses are strengthened and companies refuse to pay.

"The main people making the money will be the DDoS defense providers," he said. "All the attempts to extort money will fail. Most people won't pay."

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleMicrosoftSwitzerlandYahooZoho

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts