Cyber Incident Victim: Hush Communications Corp.
Date:
Nov 2015
Location:
Canada
Summary
Hushmail experienced a distributed denial-of-service (DDoS) attack by the Armada Collective, which demanded a ransom payment to cease the assault. The company refused to pay, publicly acknowledged ongoing service disruptions, and anticipated further attacks while implementing improved defensive measures and filing a criminal complaint. Similar attacks targeted multiple secure email providers during the same period, with one provider paying the ransom but continuing to face disruptions. The attackers claimed unprecedented attack capabilities, though security analysts questioned their credibility, and the collective later attempted to distance itself from subsequent assaults while returning partial ransom payments, attracting significant scrutiny.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between November 4 and 9, 2015, multiple secure email providers experienced sustained distributed denial-of-service (DDoS) attacks attributed to a group calling itself the Armada Collective. Hushmail, a Vancouver-based encrypted email service, confirmed it was targeted alongside ProtonMail, Runbox, and VFEmail. The attackers demanded ransom payments in Bitcoin, threatening to escalate attack intensity if unpaid. Hushmail publicly refused payment, warning customers of potential continued service interruptions as it worked to improve its defenses. The company filed a criminal complaint with unspecified authorities while maintaining service availability despite ongoing disruptions to email delivery timelines.
Hush Communications CEO Ben Cutler noted operational similarities between the attacks on ProtonMail and Hushmail, including ransom demands, suggesting a coordinated focus on secure email providers. The Armada Collective claimed attack capabilities exceeding 1 terabit per second in communications to Runbox, though Hushmail did not verify these claims. While Runbox restored service stability within a day and VFEmail considered shutdown, Hushmail sustained prolonged but mitigated impacts. ProtonMail’s payment did not prevent follow-up attacks, and blockchain analysis revealed partial Bitcoin refunds to ProtonMail with messages denying responsibility for escalated attacks. Hushmail maintained its non-payment stance throughout the incident, attributing service delays directly to the attackers’ actions.