Cyber Incident Victim: RiseUp

The incident began on October 21, 2021, when a coordinated series of distributed denial of service (DDoS) attacks targeted at least eight email service providers specializing in privacy and security-focused offerings. The affected companies included Runbox, Posteo, Fastmail, TheXYZ, Guerilla Mail, Mailfence, Kolab Now, and RiseUp. Attacks persisted throughout the weekend and into Monday, October 25, causing prolonged service outages. The threat actor launched volumetric DDoS attacks against these providers, with some attacks reaching peak intensities of 50Gbps and 256Gbps according to subsequent statements from Runbox and TheXYZ. Following the initial disruption, the attacker sent ransom emails demanding payment of 0.06 Bitcoin (approximately $4,000 at the time), giving each company a three-day deadline before threatening escalated network disruption.

The extortion emails were attributed to a group identifying itself as the "Cursed Patriarch," which later incorporated links to media coverage about their campaign in subsequent communications. Multiple providers confirmed receiving identical threats, with Posteo publicly disclosing their refusal to pay in a blog post on October 22. Runbox and TheXYZ also acknowledged ransom demands after initial attacks. While the DDoS campaign caused operational disruptions across the targeted email services, no evidence indicated compliance with payment demands. The incident was distinct from contemporaneous DDoS attacks against UK VoIP provider Voipfone and gaming infrastructure company Sparked, which involved separate threat actors according to investigative sources. This campaign exemplified ongoing DDoS extortion activities separate from ransomware operations, occurring amid broader attacks against ISPs and financial institutions in multiple countries using emerging botnets like Meris during the same timeframe.