Cyber Incident Victim: Runbox

The incident began on October 21, 2021, when multiple privacy-focused email providers, including Runbox, Posteo, Fastmail, TheXYZ, Guerilla Mail, Mailfence, Kolab Now, and RiseUp, were targeted by distributed denial-of-service (DDoS) attacks. These attacks continued through the weekend and into Monday, causing prolonged service disruptions. A threat actor identifying as the "Cursed Patriarch" executed the attacks as part of an extortion campaign, sending ransom demands to the affected companies after initiating the DDoS strikes. The demands requested payment of 0.06 Bitcoin (approximately $4,000 at the time), with a three-day deadline to comply before threatened escalation of network disruptions. Posteo publicly confirmed receiving the threat on October 22 through a blog post, explicitly stating their refusal to pay. Subsequent confirmations came from Runbox and TheXYZ, who disclosed attack peaks of 50Gbps and 256Gbps respectively, among the highest reported metrics in this campaign.

The attackers adapted their tactics after media exposure, incorporating links to The Record's article about the campaign in later communications. While the DDoS attacks caused operational disruptions across multiple providers, the coordinated nature of the incidents distinguished them from simultaneous attacks against UK VoIP provider Voipfone and gaming server company Sparked, which involved separate threat actors. The email providers' public responses focused on transparency, with Posteo, Runbox, and TheXYZ all issuing statements to confirm the extortion attempts without indicating any ransom payments. The campaign exemplified ongoing DDoS extortion trends, occurring shortly after similar incidents targeting ISPs and financial institutions in Russia, the UK, US, and New Zealand involving the Meris botnet. No collateral damage beyond service outages was reported, and the threat actor's success rate in obtaining payments remained unconfirmed in available reporting.