• by Jess Nelson , November 6, 2015

ProtonMail, a Swiss encrypted email provider held hostage by hackers, has paid its attacker's ransom request, but Distributed Denial of Service Attacks (DDoS) attacks continue. 

The company was taken offline for nearly 24 hours after the first DDoS attack on Nov. 3, 2015. ProtonMail released a statement at the time claiming the attacks were orchestrated by the Armada Collective, but less certain now, and evidence could point to a politically motivated attack.

The Armada Collective, a hacker group, has allegedly been launching DDoS attacks against Swiss Web sites to interrupt services. They then demand a ransom to be paid in bitcoin, a digital currency.

The Swiss Governmental Computer Response Team state that they and the Cybercrime Coordination Unit Switzerland “did receive several reports from hosting Providers in Switzerland recently that they are being blackmailed by a hacker group that calls themselves Armada Collective.”

ProtonMail says it agreed to pay the ransom of 15 bitcoins, or just under $6,000, on Nov. 3.  After payment was made, the ransom attacks came again on Nov. 4, Nov. 5, and again Friday morning. The service still remains offline.

“The attack we faced is the largest one ever in Switzerland and took down both the ISP and the datacenter, impacting hundreds of companies and causing hundreds of thousands of dollars of damage,"says Andy Yen, CEO and cofounder of ProtonMail. "At the height of the attack, even the ability of the ISP and datacenter to remain in business was being called into doubt. At this stage, all the impacted companies forced us to pay because the collateral damage was too high. I don't agree with the decision, but since it impacted many parties, it was a group decision, and we respected the final decision."

The hackers are likely “not the Armada Collective anymore,” Yen says. “They have publicly denied responsibility for the second attack. Based on the size and sophistication of the second attack, this is a highly organized and well-funded group. Typically you only find these capabilities with state backed groups.”

Yen says the additional attacks do not fit the Armada Collective profile. “Many Swiss companies in the past several weeks have in fact paid the ransom and most were untouched afterwards,” he says, suggesting that a politically motivated attack is a “real possibility. ProtonMail has numerous dissident groups as active users, and by taking ProtonMail offline, you also take away the ability for these groups to communicate.”

ProtonMail was originally founded to create a more secure email server in response to Edward Snowden’s revelations about NSA surveillance in 2013.

“It is hard to say at the moment [when the service will be back online, as] the attackers are very tenacious and defending against an attack of this magnitude cannot be done overnight. We hope to have a permanent solution in the coming days,” Yen says.

ProtonMail has now started a GoFundMe page to raise money for the ProtonMail Defense Fund. The company states that the money will be used to implement and “utilize top-of-the-line solutions typically used by larger companies such as Twitter, Facebook, etc.”

At the time of publication the company had raised $25,000 from 800 donors. They are hoping to raise $50,000.