Private email providers offering enhanced encryption have been at the receiving end of crippling DDoS attacks lately and it has been revealed that the extortionist cybercriminal group behind the strikes are called the Armada Collective.

ProtonMail, an encrypted email startup service set up by CERN scientists in Geneva and researchers at MIT, recently gave into ransom demands after being at the receiving end of massive distributed-denial-of-service (DDoS) attacks that affected the company’s datacenter and its ISP, with speeds exceeding 100Gbps.

Despite paying the ransom demand of 15 Bitcoin (approx. $6000), the email service provider continued to get inundated with the DDoS attacks that lasted six days altogether, before finally switching online again.

According to Forbes, ProtonMail aren’t the only email provider to be targeted by the Armada Collective, a cybercriminal group who seem to have found their calling with inflicting DDoS attacks.

Hushmail is another enhanced email security provider which recently revealed that it too, was targeted with a DDoS attack. The email provider referenced multiple incidents on November 5th and 6th wherein extortionists pummeled the company’s networks and duly demanded a ransom. However, Hushmail refused to pay and at the time of publishing, is back online.

Their blog entry read:

The attackers have demanded a ransom, which we will not pay, and have promised an increase in the intensity of the attacks. As such we expect that there will be continued attacks, which may result in further interruptions in service. We are continuing to improve our protection against these attacks, and have filed a criminal complaint with the relevant authorities.

Another secure email provider also endured the brunt of DDoS attacks in recent days, to clearly underline a trend here. Runbox faced a DDoS attack on November 6th and the company managed to get its service stable a day later.

Related article: Linux Botnet Discovered Launching 150Gbps DDoS Attacks

Notably, all three secure email service providers have confirmed they had been targeted by an extortionist group of cybercriminal hackers who dub themselves the Armada collective. This can be independently verified too, as the each ransom demands correlates to the same Bitcoin addresses used elsewhere.

With the increased activity of DDoS based extortion incidents, the cybercriminal group may have bitten more than they can chew, as law enforcement turn up the screws in their attempts to find the group’s members.

They’re “feeling the heat,” as Andy Yen, co-founder of ProtonMail said. “They know they are being hunted.”