Cyber Incident Victim: ContactOffice
Date:
Oct 2021
Location:
Belgium
Summary
A coordinated DDoS extortion campaign targeted multiple privacy-focused email providers, including Runbox and Posteo, with attacks peaking at up to 256Gbps. The threat actor, identifying as "Cursed Patriarch," demanded 0.06 BTC ransoms to cease disruptions, threatening prolonged network downtime for non-payment. Several providers experienced outages but refused to pay, publicly confirming ransom demands linked to the attacks. The incidents were distinct from unrelated DDoS campaigns affecting other sectors, highlighting ongoing activity by groups leveraging high-volume attacks for financial gain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between October 21 and October 25, 2021, at least eight email service providers experienced sustained distributed denial of service (DDoS) attacks linked to an extortion campaign. The affected providers—Runbox, Posteo, Fastmail, TheXYZ, Guerilla Mail, Mailfence, Kolab Now, and RiseUp—specialized in privacy-focused email services. Attacks commenced on October 21 and continued through the weekend, causing prolonged service disruptions. An unidentified threat actor group calling itself the "Cursed Patriarch" sent ransom demands to victims following the initial DDoS waves, demanding payment of 0.06 Bitcoin (approximately $4,000 at the time) within three days. The attackers threatened escalated network disruptions for non-compliance, as evidenced by a ransom email reviewed by investigators. Posteo publicly confirmed receipt of the threat on October 22 through a blog post, explicitly stating their refusal to pay. Subsequent provider disclosures revealed attack traffic volumes reaching 50Gbps against Runbox and 256Gbps against TheXYZ, indicating significant disruptive capacity.
The campaign exhibited operational awareness, as later ransom emails incorporated links to media coverage of the attacks after The Record's reporting exposed the extortion scheme. Forensic analysis distinguished these incidents from contemporaneous DDoS attacks against UK VoIP provider Voipfone and gaming infrastructure firm Sparked, which involved separate threat actors. While DDoS extortion tactics were noted in unrelated incidents against financial and telecommunications entities in multiple countries during this period—some leveraging the Meris botnet—the email provider attacks demonstrated a coordinated focus on niche secure communication services. Provider responses centered on public transparency, with Posteo, Runbox, and TheXYZ confirming attacks through official channels while maintaining service continuity measures. No confirmed ransom payments were disclosed in available reporting. The incident highlighted ongoing DDoS extortion risks beyond ransomware operations, particularly for specialized email services with potentially limited DDoS mitigation resources.