Ransom DDoS campaigns — known as RDoS or DDoS extortion — are simple in concept: threaten to flood a target's infrastructure unless a ransom is paid. They're effective because even organizations with decent security often have no answer for a 300Gbps flood arriving with 12 hours notice.
The Playbook
- Email from 'Fancy Bear' or 'Lazarus Group' (usually fake attribution) threatening an attack.
- A small demonstration attack lasting 10–30 minutes to prove capability.
- A demand for Bitcoin, usually 1–5 BTC, with a short deadline.
- Follow-through attack if unpaid — or sometimes no attack at all (many are bluffs).
Why You Should Never Pay
- Payment marks you as willing to pay — you'll receive more demands.
- The demand often escalates immediately after payment.
- Paying funds criminal infrastructure that attacks others.
- There is no guarantee the attacks stop — criminals don't honor contracts.
The Correct Response
Upon receiving an RDoS threat: route your traffic through a scrubbing proxy immediately (before the attack begins), preserve the email for law enforcement, report to your national CERT, and file a police report. If your infrastructure is already protected by Akarguard, the demonstration attack will fail to cause outage — removing the attacker's leverage entirely.
Key insight
The only effective deterrent to an RDoS threat is demonstrated resilience. If their demo attack fails to cause any disruption, they move to the next target.