The headlines started out bad enough with the news that the Armada Collective, a cyber extortion group famous for targeting private email services including ProtonMail last fall, had resurfaced to send DDoS ransom notes to financial institutions in Switzerland. Things got worse from there as news broke that Armada Collective copycats were allegedly raking in tens of thousands of dollars in bitcoin payments by sending DDoS ransom notes with threats on which they never followed through.

People, please. It’s perfectly natural to panic if you receive one of these DDoS ransom notes, whether from a well-known cyber extortion group like the Armada Collective or DD4BC or a script kiddie with some free time and access to a stresser. After all, DDoS attacks can be devastating. But that initial panic is no reason to buckle and pay the ransom. You owe it to the nerds of the world who were hit up for their lunch money daily to stay strong in the face of these threats. Let us learn from their mistakes.

Here’s what to do, and absolutely what not to do, if you receive a DDoS ransom note.

A brief overview of DDoS attacks and ransom notes

A DDoS attack is a distributed denial of service attack – a type of attack that leaves a website either offline or so slow as to be unusable by eating up its bandwidth or overwhelming its resources with a large amount of malicious traffic from a number of computers or other internet-connected devices.

The consequences of an unmitigated DDoS attack can be both immediate and long-term. A DDoS-induced outage or slowdown will leave your users frustrated, possibly leading to eroded loyalty. An organization can also suffer hardware and software damage, and if a DDoS attack is used as a smokescreen for an intrusion it can result in theft of customer data, financial information and intellectual property.

DDoS attacks have been making the news for the last few years, not only because they’ve been steadily increasing in frequency and size, but because of the sheer amount of damage they can cause. Naturally,
DDoS attacks have become something organizations are desperate to avoid. That’s where the DDoS ransom note business plan enters the picture. Groups of hacktivists and script kiddies have figured out that many people are willing to pay up in order to avoid getting hit with a DDoS attack.

DDoS attacks aren’t going away anytime soon, and since the ransom notes seem to be working, they won’t be either. Every organization and website owner needs a plan for when that note shows up in the inbox.

What not to do

Under absolutely no circumstances should you pay the demanded ransom. Do not. Do. Not. Just as handing over your lunch money the first time a bully ever demanded it ensured you’d be handing it over every day for the rest of the year, paying the ransom marks you as a weak target who obviously does not have any professional protection against DDoS attacks, greatly increasing the likelihood that you will receive these ransom notes over and over again.

Not only that, but paying the ransom in no way guarantees that you won’t get attacked. Just ask ProtonMail. They reportedly paid a ransom of $6000 and were nonetheless barraged by DDoS attacks for days.

Furthermore, reports indicate that though the Armada Collective copycats sent out a massive number of DDoS ransom notes, the group behind them never followed through on a single threat, regardless of if the organizations targeted paid up. So it’s possible you could end up paying to stave off an attack the ransomers never had any intention of launching.

What to do

As much as the Armada Collective copycats have recently watered down the DDoS ransom note threat, when a ransom note comes in, you need to proceed based on the assumption that the group behind it is both capable of and prepared to target you with an attack. Booters and stressers – services that allow a user to launch a DDoS attack – are both affordable and widely accessible, allowing people with little technical knowledge to aim an attack wherever they would like, so a DDoS attack is not a difficult thing to perpetrate.

When a ransom note comes in, you have two reasonable options: protect yourself from the attack, or prepare to ride it out. Either way, you need a response plan in place. DDoS mitigation services provider Imperva Incapsula has an excellent guide to preparing your response plan.

To protect or not to protect

The recommended course of action is always going to be to invest in professional DDoS mitigation services. Selecting a cloud-based mitigation service will give you protection that’s both scalable and affordable: there when you need it, and not costing you much when you don’t.

However, if you weigh the costs and benefits and decide it’s reasonable for you to ride out a DDoS attack and simply deal with whatever outcomes occur, then you still need a plan in place for both restoring your website quickly, and for communicating with your users about what is happening. You need to be communicating early, often and honestly. This will ensure your users that you respect them and that you are sorry they are unable to use your services and will often result in those users feeling sympathy instead of frustration.

There’s no one size fits all approach to dealing with a DDoS ransom note. You or your organization have to decide what’s best for your website and for your budget. Regardless of whether or not you decide to invest in DDoS protection, be sure to hang on to that lunch money. These ransomers have done nothing to deserve to drink your chocolate milk.