Cyber Incident Victim: Kolab Now
Date:
Oct 2021
Location:
Switzerland
Summary
A coordinated DDoS extortion campaign targeted multiple privacy-focused email providers, including Kolab Now, causing prolonged outages with attacks peaking at up to 256Gbps. The threat actor, identifying as "Cursed Patriarch," demanded 0.06 BTC (~$4,000) ransom payments under threats of continued network disruption, though several providers publicly refused to comply. The attacks were distinct from unrelated DDoS incidents affecting other sectors, and the perpetrators later referenced media coverage of their campaign in follow-up communications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The DDoS attacks targeting Kolab Now occurred between October 21 and October 25, 2021, as part of a coordinated extortion campaign against eight privacy-focused email providers. The threat actor, identifying as the Cursed Patriarch, launched volumetric attacks that disrupted services before sending ransom demands of 0.06 Bitcoin (approximately $4,000) to each victim. Kolab Now, alongside Runbox, Posteo, Fastmail, TheXYZ, Guerilla Mail, Mailfence, and RiseUp, experienced prolonged outages during this four-day period. Attackers established a three-day payment deadline with explicit threats to escalate network disruptions for non-compliance. TheXYZ reported attack peaks reaching 256Gbps, while Runbox observed 50Gbps traffic floods. Posteo publicly confirmed receiving identical extortion emails on October 22 but refused payment, a stance later mirrored by Runbox and TheXYZ in subsequent blog posts.
The sustained attacks caused operational disruptions across multiple providers, though specific downtime durations for Kolab Now were not disclosed. Following media exposure of their campaign, the threat actors modified subsequent communications to include links to The Record's coverage. Forensic analysis revealed this campaign differed from contemporaneous DDoS incidents against UK VoIP provider Voipfone and gaming infrastructure firm Sparked, which involved separate threat actors. While the Meris botnet was active in other DDoS extortion campaigns during this period—targeting ISPs and financial institutions in Russia, the UK, US, and New Zealand—investigators confirmed no technical connection to the email provider attacks. The Cursed Patriarch's campaign demonstrated continued viability of DDoS-based extortion tactics despite broader industry focus on ransomware threats.