Got Mail? Secure Email Services under Attack around the World

It’s been a busy few days here at Radware.

Our Emergency Response Team (ERT) has been closely monitoring a series of DDoS-for-Ransom attack campaigns that have targeted email service providers.  These attacks are unique for several reasons, besides their strength and complexity. They came from multiple sources including a new group, The Armada Collective, and the attackers sent their targets threatening emails demanding ransom or else a prolonged attack would be launched.

Companies like ProtonMail, Neomailbox, VFEmail, Hushmail, Fastmail, Zoho, and Runbox, known for secure and private email hosting, have recently all seen Denial-of-Service (DoS) attacks launched against their networks.  There could be a number of reasons why their email services have been attacked – the combination of a large user base coupled with the fear of losing users if their service was knocked out for a prolonged period is a good place to start.

ProtonMail, a web-based encrypted email service, was hit the hardest with a series of Advanced Persistent DoS (APDoS) attacks.  These attacks exceeded 100Gbps, assaulted numerous attack vectors, and resulted in ProtonMail  losing availability for a number of days.  In short, the set of sophisticated and high-volume attacks took them offline.  After retaining Radware’s services, we were able to successfully mitigate the attacks and return availability back to their user base.

“In order to mitigate the DDoS attack against us, we partnered with Radware, one of the world’s premier DDoS protection companies. In Radware, we found a solution that was capable of protecting ProtonMail without compromising email privacy. Given the magnitude of the attack we faced, we knew that we would have to work with the best, and Radware’s BGP redirection solution fit our requirements. During our hour of need, there were many companies who attempted to charge us exorbitant amounts, but Radware offered their services at a very reasonable price in order to get us online as soon as possible. With Radware DefensePipe, we were finally able to mitigate the attack on ProtonMail.” 

– Andy Yen, CEO of ProtonMail

In a strange turn of events, Runbox saw their ransom demand reneged by the attackers, as they noted today:

“The initial threats and attacks that attempted to extort money were withdrawn by the attackers on Saturday morning, when they offered an apology.”

Extortion group like DD4BC and The Armada Collective can present serious issues for your network.  SMTP attacks are on the rise. It’s suggested that email service providers take these threats seriously and deal with them in the proper way. Also other services like SIP, FTP and other layer 7 protocols should consider reviewing their network to insure they are prepared for such an attack.  You can expect these campaigns to continue and other groups to appear with the same mode of operation.

Check out our ERT Alert to learn more about these attacks and how you can stay protected.  You can also read more about our story to protect ProtonMail in our press release.

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center