Cyber Incident Victim: Guerilla Mail
Date:
Oct 2021
Location:
United States of America
Summary
A coordinated DDoS extortion campaign targeted multiple privacy-focused email providers, including Guerilla Mail, causing prolonged outages. The attacks, attributed to a threat actor calling itself "Cursed Patriarch," involved ransom demands of 0.06 BTC (~$4,000) accompanied by threats to sustain network disruptions if unpaid. Some attacks reached peaks of 256Gbps, significantly impacting service availability. Several providers publicly confirmed receiving identical extortion emails following the DDoS incidents, with at least one explicitly refusing payment. The campaign specifically affected smaller security-centric email services, distinguishing it from unrelated DDoS attacks against other industries occurring concurrently. This incident highlights ongoing DDoS-based extortion tactics despite broader attention on ransomware operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between October 21 and October 25, 2021, Guerilla Mail and seven other privacy-focused email providers—Runbox, Posteo, Fastmail, TheXYZ, Mailfence, Kolab Now, and RiseUp—experienced prolonged outages due to distributed denial-of-service (DDoS) attacks linked to an extortion campaign. The attacks began on October 21 and continued through the weekend, disrupting services for multiple days. A threat actor group identifying as the "Cursed Patriarch" executed the DDoS attacks and subsequently sent ransom demands to the targeted companies, instructing them to pay 0.06 Bitcoin (approximately $4,000 at the time) within three days to avoid further network disruptions. Posteo publicly confirmed receiving the threat on October 22, stating it refused payment. Runbox and TheXYZ later corroborated receiving identical ransom notes after suffering DDoS attacks peaking at 50Gbps and 256Gbps, respectively. The attackers referenced their own campaign in follow-up communications by linking to media coverage of the incidents.
The coordinated attacks caused significant operational disruptions across the affected email services, though specific technical impacts on Guerilla Mail’s infrastructure were not detailed in available reports. Posteo, Runbox, and TheXYZ documented their refusal to comply with ransom demands, with no confirmed reports of payments among the eight providers. Security researchers attributed the campaign exclusively to the Cursed Patriarch, distinguishing it from unrelated DDoS incidents targeting UK VoIP provider Voipfone and gaming infrastructure firm Sparked during the same period. The extortion attempts highlighted ongoing DDoS-for-ransom activity despite greater attention on ransomware operations, following a trend of similar attacks against ISPs and financial institutions in multiple countries earlier that year. Attackers leveraged volumetric DDoS tactics to overwhelm victim networks, though mitigation strategies employed by the email providers were not disclosed in public statements.