Cyber Incident Victim: Emsisoft GmbH
Date:
Jan 2017
Location:
United States of America
Summary
A cybersecurity firm specializing in ransomware decryption tools experienced a distributed denial-of-service (DDoS) attack targeting its public-facing services, including the decrypter hosting platform, email systems, and customer support portal. The disruption lasted approximately eight hours and coincided with the release of new decryption utilities, with threat actors subsequently impersonating a security entity to falsely claim the company's tools would harm users' systems. This retaliatory attack followed a pattern of similar incidents against security researchers who exposed criminal operations, though services were restored after mitigation efforts. The perpetrators attempted to undermine trust in the victim's remediation tools through coordinated technical and psychological tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 28, 2017, at approximately 10:00 AM CET, Emsisoft's online infrastructure came under a distributed denial-of-service (DDoS) attack targeting specific operational components. The attack focused primarily on the section of the company's portal hosting ransomware decrypters, which are tools designed to help victims recover files encrypted by ransomware without paying attackers. Secondary impacts affected Emsisoft's email infrastructure and self-help support portal, disrupting normal operations across these critical systems. The assault persisted for approximately eight hours, creating sustained service interruptions during that period. This incident occurred three days after cybersecurity firm Dr.Web experienced a similar DDoS attack on January 25, establishing a pattern of retaliatory actions against security companies interfering with cybercriminal operations. Emsisoft's technical team worked throughout the attack to mitigate its effects and restore service availability to affected systems.
The DDoS attack directly coincided with Emsisoft's release of ransomware decryption tools, suggesting retaliation by threat actors whose operations were disrupted by these countermeasures. Several hours after the attack commenced, an individual using the alias "COMODO Security" registered on Emsisoft's forum and posted false claims asserting that the company's decrypters would install ransomware or damage users' computers. This activity corroborated Emsisoft's initial assessment that the attackers were associated with the MRCR ransomware operation, whose malicious activities were directly countered by the firm's decryption tools. The eight-hour service disruption impaired user access to critical security resources during the attack window, though the company maintained core functionality through mitigation efforts. Historical context from the article notes this followed established patterns of cybercriminals targeting security researchers and firms, including prior DDoS incidents against Kaspersky Lab and journalist Brian Krebs following their exposure of criminal operations. Emsisoft restored full service to all affected systems by the conclusion of the attack period without reporting additional infrastructure compromise beyond the temporary availability issues.