We have recently written about the persistence of the four most common varieties of cyberattacks: RansomwarePhishingBusiness Email Compromises, and Credential Stuffing, as well as the increased regulatory scrutiny that companies face when they fall victim to these attacks. Over the last few months, we have observed an increase in another form of cybersecurity threat: DDoS ransom attacks, where cybercriminals demand a large payment from a company in exchange for not launching a distributed denial-of-service (“DDoS”) attack that is designed to bring down the company’s website. In this Debevoise Data Strategy and Security Blog post, we discuss the characteristics of these attacks and steps companies can take to prevent and mitigate damage from them.

What Is a DDoS Ransom Attack?

In a DDoS attack, cyber criminals send a flood of electronic requests or other network traffic to a target company’s website, web application, or network. The goal is to overwhelm the company’s ability to address these requests, and thereby shut down the company’s website, so that legitimate users can no longer use the service. A single attack can affect multiple company websites or services if the attack disrupts a common service relied on by many endpoints, such as a domain name system (“DNS”) service.

DDoS attacks have been around for a long time and have typically been used as a diversionary smokescreen designed to draw attention away from a separate attack or to send a political message. In this latest wave of DDoS attacks, cybercriminals appear to be seeking direct financial gain by capitalizing on the success of recent ransomware campaigns.

DDoS attacks are also getting cheaper and easier to implement. Criminals can rent DDoS services on the dark web to carry out high-volume attacks. The services are easy to use and even provide loyalty programs for repeat customers. Prices for DDoS services vary depending on how well-resourced the target is, with attacks on protected websites going for as low as $400.

The Recent DDoS Extortion Campaign

Over the last few months, thousands of companies have received extortion emails that have threatened crippling DDoS attacks if a six-figure ransom is not paid in Bitcoin. These attacks generally follow the same pattern.

1. The Email – First, a company receives an email from a threat actor that claims affiliation with notorious sophisticated cybercriminal groups, such as Lazarus or Fancy Bear. The senders of these emails, however, are much more likely to be independent cybercriminals trafficking on the reputation of well-known threat groups to cultivate credibility and appear more threatening. The email is usually sent from an encrypted email service, like ProtonMail, about fifteen minutes prior to an initial DDoS attack. Often, however, the target is unaware of the ransom demand because the email gets caught in the company’s spam filter, or the person receiving the email ignores it, is busy, or is on vacation.

The email explains that the initial attack is a demonstration of the threat actor’s capability. If a six-figure Bitcoin ransom is not paid within six days, the attackers threaten a second DDoS wave that will disrupt core operations and create reputational damage. There is often no avenue to communicate or negotiate with the threat actor beyond sending the ransom amount to the provided Bitcoin wallet.

2. The Initial Attack – About fifteen minutes after the initial extortion email is received, the threat actors usually carry out a DDoS demonstration attack. These attacks vary in strength, ranging from a few gigabits per second (“Gbps”) to peaks of 300 Gbps, and typically last for a couple of hours. During these initial attacks, some companies have reported performance issues when connecting to virtual private network gateways, email clients, chat-based collaboration platforms (e.g., Microsoft Teams) and other core services. The attacks often focus on back-end infrastructure and come from multiple attack vectors. The attacker appears to be monitoring their impact during the attack and pivoting techniques in real time to avoid mitigation measures.

In some cases, the attackers will try to disrupt a target’s Domain Name System (“DNS”) server, thereby compromising the target’s ability to access the internet through its devices (i.e., a “DNS Flood”). This form of attack disrupts a website or application’s ability to respond to legitimate internet traffic. DNS servers are often hosted outside of the organization by dedicated providers. Some DNS providers may not have the same level of DDoS protection as a company’s network, while other DNS providers have sophisticated DDoS prevention methods in place, which inspect in-bound traffic, detect and drop malicious traffic, and forward only legitimate traffic to the company. The attackers have also been amplifying their attacks with “booter” services, which have the effect of hiding the origin of attack and increasing their effectiveness.

The attackers also have been engaging in IP spoofing, which sends junk traffic to a target from a source address that appears to be coming from within the target’s network, creating a nuisance by getting services like email infrastructure improperly blacklisted by DDoS mitigation services.

3. Recent Follow-On Activity – While a significant proportion of companies facing ransomware attacks have been forced to pay the attackers, in the case of these DDoS attacks, it appears that most companies have allowed the ransom payment window to pass without making any payment, and have not experienced damaging follow-on activity. Some companies have received additional ransom emails from the same threat actor well after the initial email. These follow-on emails reference the initial ransom demand, the target’s lack of payment the first time around, and renew demands for a Bitcoin payment. Another demonstration DDoS attack may also be carried out, with similar characteristics to the first one.

Preventing and Responding to DDoS Ransom Attacks

Companies have employed several measures to prevent and mitigate these attacks, including:

Extension of DDoS Mitigation: DDoS mitigation typically involves implementing measures that protect a company’s on-site servers and network equipment from a DDoS attack and include things like detecting abnormal traffic flows and redirecting malicious traffic away from the network. The threat actors carrying out these DDoS attacks tend to target IP addresses that are currently outside the scope of companies’ DDoS mitigation.  So, some companies have found that they are able to defend against very sophisticated DDoS attacks by extending mitigation measures to cover as many company IP addresses, web services, internet-facing infrastructure, and DNS servers as possible.

Cloud-based DDoS Mitigation: Depending on the strength of the initial attack, and the ability of a business to effectively respond, some companies have turned to cloud-based DDoS mitigation services. These services have the advantage of “always-on” monitoring of network traffic to detect issues and respond to an attack in seconds.

Customizing DDoS Mitigation: In some recent attacks, criminals have caused disruption while avoiding detection by dispersing their attacks in such a way that DDoS mitigation thresholds are not triggered. Companies have been able to protect against this by working with mitigation providers to customize mitigation thresholds to identify and prevent this specific type of attack.

Working with ISPs: To prepare for DDoS attacks, many companies have worked closely with their internet service providers (“ISPs”) to make sure that they are able to control network traffic during an event. Both Verizon and AT&T have been able to mitigate disruption to network services of target companies in the recent DDoS attacks. The ISPs may also have some of the forensic data that law enforcement may want for their investigations.

Configuring firewalls and routers: Network firewalls and routers can be configured to block unauthorized IP addresses and reject junk network traffic. Routers and firewalls, as well as all other network devices, should be up to date and incorporated with the latest security patches.

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise law clerk David Wang for his contribution to this article.


Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.


Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.