Moonfruit is just the latest in a long list of online giants hit by hackers determined to gain leverage and blackmail the website builder.
Some Moonfruit users complained about how the company reacted to the threat – but we were actually impressed. In fact, other sites could learn a lot from how they handled the situation.
We are currently experiencing a DDoS attack. We're working to resolve the issue and will continue to update. Apologies for the inconvenience
— Moonfruit (@moonfruit) December 10, 2015
The service is now returning to normal. Our ops team will continue to monitor the situation. We appreciate your patience.
— Moonfruit (@moonfruit) December 10, 2015
On Thursday 10th December, sites powered by Moonfruit briefly went down. The following day, they issued a statement to customers revealing that the company had experienced a DDoS attack, a 45-minute teaser of what was to come if ransom demands weren’t met.
The hackers responsible call themselves the Armada Collective, an organisation that the Swiss Government actually warned its citizens about only last month. Their demand was a large sum of money, transferred by Bitcoin. The group points out:
“Bitcoin is anonymous, nobody will ever know you cooperated.”
If the initial ransom wasn’t paid, a further DDoS attack, flooding their servers with connection requests in order to bring down a wealth of sites, would occur on Monday 14th December, presumably with the demands increasing each day, just as previous blackmail messages have stated.
Moonfruit’s statement, however, rebutted:
“Having investigated the group it is very clear that even if we were to pay them (something we would never consider) the attacks would not cease. In fact, whenever anyone has given in and paid them, the attacks get worse and the demands increase.”
The Armada Collective naturally won’t give up that easily, and indeed, Moonfruit sites have been acting slowly with investigations ongoing, but how the website-building company dealt with the threat was admirable.
What Did Moonfruit Do?
They took down all sites for 12 hours, and alerted their users.
We can only presume the message sent by the Collective was similar to their past threats, so Moonfruit’s drawing attention to the blackmailers flies in the face of this:
“If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.”
That’s not unusual, though: many past victims, mostly email hosting sites like Runbox, Hushmail, and ProtonMail, announced the attack.
Nonetheless, Moonfruit emailed their users as soon as possible – despite claims that they were slow to communicate the problem. Acknowledging the problem publically is only half the battle. What they actually did to combat the attack is important.
Taking down all sites hosted by Moonfruit for half a day was a drastic move, but we should balk at the suggestion that they temporarily defeated themselves. It was the smartest move that could be made.
During that time, Moonfruit carried out “significant infrastructure changes,” asking its paying customers to make configuration alterations. It’s in the best interests of users that they didn’t simply cave in to the extortionists. Ron Symons, regional director at DDoS mitigation company, A10 Networks, explained:
“More worryingly, DDoS attacks frequently act as smokescreens hiding more invasive attacks as hackers exploit unguarded system backdoors to steal sensitive data.”
This could include Personally Identifiable Information (PII) and payment details, both of which can fetch a fair price on the Dark Web. It’s a sentiment echoed in the most recent update from Moonfruit.
Admittedly, with Christmas just around the corner, this is a terrible time for any downtime and customers certainly have a right to be disgruntled, but that’s exactly why the Armada Collective has targeted Moonfruit right now. As they point out, they can only control how they responded, not the timing.
What We Can Learn From This
First and most importantly, no site should give in to ransom demands. Moonfruit is right when asserting that paying up would simply mean an increase in attacks.
Most companies publically revealed as subject to DDoS attacks have similar claims: office-suite business, Zoho, and email clients like Neomailbox and VFEmail all refuse to pay up. But earlier this year, ProtonMail admitted to paying in the region of $6000 after being blackmailed by the Collective, gloomily announcing:
“[W]e were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time…We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless.”
In fact, they not just persisted over the next few hours, but in the following days too, leading the company to add:
“This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it taking into the consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us… This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.”
Moonfruit, too, was open with their customers, something many companies refuse to do, supposedly fearing damage to their reputations. Indeed, sometimes their silence is a good thing, but Moonfruit actually helped their reputation.
Users appreciate honesty, certainly when downtime was self-imposed to protect intimate data. And that’s the key: putting your customers first. In the email sent out to users on 16th December, Moonfruit reassures:
“Huge DDoS attacks, such as the one we were subjected to, often mask more dangerous forms of attack that could put you at greater risk. The consequences of trying to ride out these attacks, without taking the type of decisive actions we have, can be incredibly serious, sometimes resulting in weeks of downtime. We truly believe the decisions we’ve made over the past few days have been in your best interest.”
Taking the initiative and doing exactly what the extortionists would do seems counter-intuitive, but if it means they can fully investigate and prevent a potential upcoming attack, this can only be a good thing. Moonfruit won’t be going through an easy time, but can rest assured they’re doing the right thing.
UPDATE, 15/12/15, 7PM (GMT): Sites loading and should be visible to your visitors. Still not possible to log-in: https://t.co/w2CvVG1xqQ
— Moonfruit (@moonfruit) December 15, 2015
Of course, Moonfruit isn’t perfect. As Alexandra Yount notes:
“[T]his is somewhat poor planning. DDoS protection is often bought in the middle of a crisis instead of during a time that infrastructure changes are less critical to clientele. Had this been taken care of prior to now, it could have just been a matter of asking their provider to increase their protection…”
It’s important not to blame Moonfruit, however. It’s not their fault; it’s the Armada Collective’s, whoever they may be. We don’t know if this is one group or numerous hijacking the already-bad reputation of the hackers to make a quick buck.
As of 16th December, progress is slow and normal service has not entirely been resumed. In most cases, sites should load, but users can’t edit them at all.
Were you affected by the downtime? Will you use Moonfruit, knowing they stood up to a DDoS attack or are you considering elsewhere? What other lessons can be learnt?
Image Credits: Hacker Rene by Ivan David Gomez Arce.