On Monday, the VPN service Cloak got an unsettling email: if the owners didn't cough up 10 bitcoin (or $4,400) in the next week, the service would be hit by a denial-of-service attack large enough to bring down the service entirely. The fallout from that downtime would easily cost more than $4,400, so the criminals offered an early payoff as an easy way to avoid all that damage.
But today — a full five days before the ransom demand came due — the company struck back, going public with the demand and promising to withstand any attack criminals attempted. "We apologize for any disruption as a result of these attacks; please know that we will do everything in our power to thwart them," the company wrote in a blog post today. "But let us reiterate: no matter what happens, we simply will not pay these garden-variety thugs." (The line was later removed.)
"We simply will not pay these garden-variety thugs."
It's a common scheme for web criminals, who often see small services as more likely to comply with the demands. In recent years, similar attacks have targeted Meetup, Feedly, Fastmail, and even Greek banks, often demanding higher and higher sums the longer sites wait to pay. There are a number of paid and open-source protections against denial-of-service attacks, but unpatched servers and other devices have made it easy for criminals to keep pace, ever larger attacks in recent years.
Still, Cloak seems confident that it will be able to ride out any attacks that may arrive in the next few days. "We use the world’s largest network providers," the company wrote in its statement. "They have both the capacity and experience to handle large attacks of this nature."
4/21 8:51AM ET: Updated to reflect the removal of the first quote from Cloak's post.