Cyber Incident Victim: Runbox
Date:
Nov 2015
Location:
Norway
Summary
The email provider Runbox experienced distributed denial-of-service (DDoS) attacks involving extortion demands, with attackers threatening escalated incidents unless payment was made. Initial attacks caused approximately 15 minutes of downtime before mitigation measures were implemented, while subsequent attempts were successfully blocked without noticeable customer impact. The attacks aimed to overwhelm systems and disrupt website access, email connectivity, and message delivery. Similar incidents affected other email services and financial institutions, highlighting broader criminal patterns. The organization collaborated with Norwegian law enforcement and cybersecurity authorities to counteract the threats and publicly refused ransom payments to avoid incentivizing further criminal activity. Service status updates were communicated through official channels during disruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 4 and 5, 2015, Runbox experienced Distributed Denial of Service (DDoS) attacks orchestrated by a group demanding a large ransom payment to prevent further assaults. The initial attack caused approximately 15 minutes of service disruption before mitigation measures were implemented. The second attack, occurring the following day, was successfully neutralized without noticeable impact to customers. These incidents involved flooding Runbox’s systems with excessive traffic from multiple computers, overwhelming bandwidth and resources to block legitimate user access. The attackers explicitly threatened escalated attacks in subsequent days if their financial demands remained unmet. Runbox characterized these events as part of a broader pattern of criminal extortion targeting internet services, citing similar attacks against ProtonMail, VFEmail, and unspecified banks during the same period.
Runbox immediately reported the incidents to The Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime and collaborated with the Norwegian Computer Emergency Response Team (NorCERT) and other partners to mitigate future attacks. The company publicly refused to pay the ransom, emphasizing that compliance would incentivize criminal activity and worsen subsequent threats. During any future attacks, customers were advised to expect potential website and email access issues, including delays in email delivery. Runbox committed to providing updates via its Support Center, Twitter account, and status page during service disruptions. No data breaches or system compromises beyond temporary service degradation were reported. The company framed its response as part of a broader imperative for internet service providers to resist extortion attempts collectively.