Ransom DDoS Extortion Scam

Ransom DDoS (RDDoS) extortion is a threat-based scheme in which attackers — or those merely claiming to be attackers — threaten to overwhelm a target's servers with a distributed denial-of-service attack unless a ransom is paid. A genuine DDoS attack floods a network with traffic from thousands of compromised machines, making websites, APIs, or other services unreachable to legitimate users. The ransom demand exploits the real cost and reputational damage such an attack can cause.

Many RDDoS campaigns are pure bluffs sent in bulk to businesses scraped from web registries and company directories. Others are sent by groups with genuine attack capability, though they often prefer the certainty of payment over the cost of running a large attack. The criminal business model relies on a percentage of recipients paying without verifying whether the threat is real.

Criminals identify targets — typically businesses with an online presence — by scraping domain registrar data, company websites, or professional directories for email addresses. Automated tools generate and send thousands of threat emails impersonating named attack groups.

Some campaigns include a brief, low-level 'teaser' attack lasting a few minutes to add credibility. This is relatively cheap to execute and significantly increases the payment rate. The teaser is not the scale of attack threatened — it is intended solely to demonstrate capability.

If payment is not received by the stated deadline, the criminal either moves on (pure-bluff campaigns) or may launch a modest attack before demanding a higher ransom. The second-demand pattern is common even after payment, making compliance a poor long-term strategy.

Businesses that depend on online availability for revenue or customer trust — e-commerce stores, financial services, gaming platforms, SaaS providers — understand viscerally what even a few hours of downtime costs. The psychological threat of extended unavailability is extremely powerful even without a single packet of real attack traffic.

Many businesses also underestimate their own defences. Cloud hosting providers and CDN services typically include significant DDoS mitigation automatically, meaning the actual risk of a crippling attack is lower than it appears. The scammer profits from that underestimation.

A business receives an email addressed to a technical contact or published abuse address. The message claims to be from a well-known DDoS-for-hire group and states that the business's online infrastructure has already been identified and tested with a small demonstration attack. The email demands a payment of several thousand dollars in Bitcoin within a specified window — often 24 to 48 hours — to avoid a sustained multi-day attack that would take the business offline, cost it customers, and damage its reputation. In many cases no demonstration attack ever took place. Businesses that pay often receive a second demand shortly afterward. Businesses that do not pay frequently find nothing happens at all, confirming the original threat was a bluff. In a minority of cases a real, low-volume attack is launched to add credibility.

"We are [GROUP NAME]. We will DDoS your network to 1Tbps starting [DATE] unless you pay [AMOUNT] Bitcoin to [WALLET]. We have already conducted a small test — check your logs."

"Pay [AMOUNT] within 24 hours or your site will be offline for days. We have taken down organisations much larger than yours. This is your only warning."

"You have ignored our first notice. The price has now increased to [HIGHER AMOUNT]. Pay now or the attack begins tonight and we will contact your customers to let them know why you are offline."

Check server logs and your hosting provider's traffic dashboard at the time the claimed 'demonstration' attack took place. Real attack traffic leaves clear, measurable signatures. If logs show nothing unusual, the demonstration claim was fabricated.

Consult your hosting provider or CDN service before paying anything — they deal with these threats regularly, already have mitigation tools active, and will advise on whether the threat is credible. Law enforcement agencies have issued guidance confirming many RDDoS campaigns are bulk bluffs.