theNet by CLOUDFLARE

Using DDoS threats to extort organizations

The recent rise in ransom-based DDoS attacks

Ransom-based DDoS (RDDoS) and extortion attacks targeting organizations are on the rise around the world. RDDoS threats don’t always result in an attack, but cases seen in recent months show that attackers are willing to carry out the threat; launching large scale DDoS attacks that can overwhelm organizations lacking adequate protection.

In an RDDoS attack, a malicious party threatens a person or organization with a cyber attack that could knock their networks, websites, or applications offline for a period of time, unless the person or organization pays a ransom.

The average cost of a DDoS attack for an enterprise is $2 million, according to a Kaspersky Lab study. Additionally, 23% of companies report losing revenue or potential customers, and 22% saw their reputation damaged among clients. Facing these possible consequences, paying a ransom to eliminate the threat of a DDoS attack may seem like a viable option. Paying the ransom is never a good idea though; it just provides additional resources for the attacker to carry out even more attacks in the future.

As a leader in DDoS prevention solutions, Cloudflare is well positioned to protect an organization against RDDoS and recommends that organizations take steps to protect themselves from the attack.


The current threat

DDoS-based extortion attempts are initiated when victim organizations receive threatening messages demanding payment by a certain date and time. If they refuse to pay the ransom or meet the payment deadline, attackers threaten to carry out a DDoS attack against their networks and web properties. In many cases a demonstration attack will also be launched by the malicious party to prove they have the capabilities to launch an attack.

Cloudflare has seen a recent spike in enterprise customers reporting RDDoS attacks. The malicious groups taking claim for the current threats of RDDoS attacks include well-known "hacker" groups such as Cozy Bear, Fancy Bear, and the Armada Collective.

We have seen empty threats from some of these groups in the past — attackers looking to make some quick cash assuming a percentage of organizations they threaten will pay the ransom no matter what. Recent attacks, however, have shown that these threats can and have been carried out — although organizations with DDoS mitigation in place remain protected.


DDoS attacks are always a threat, but recent years have seen an increase in DDoS activity. The number of layer 3 and layer 4 DDoS attacks seen across the Cloudflare network more than doubled QoQ. Additionally, Cloudflare saw some of the largest DDoS attacks we have ever mitigated, including one that peaked just below 2 Tbps.

This trend has continued into 2022. As DDoS attacks continue to increase, it is no surprise that RDDoS extortion attempts are also growing in popularity.

With the COVID-19 pandemic, organizations are more reliant on staying online than ever before. This dependency on the Internet leaves organizations susceptible to the threat of attack and open to extortion. It is clear that these attacker groups are looking for vulnerable organizations, regardless of size or industry, as we have seen the profile of targeted organizations vary widely.


Who is (allegedly) behind these ransom DDoS threats?

The criminals behind the recent wave of ransom DDoS attacks claim to represent a few different groups, including Cozy Bear, Fancy Bear, and the Armada Collective. While their claims may be true, they are difficult to verify, and it has been a common practice for DDoS extortion racketeers to fake ties with well-known "hacker" groups to give their threats more weight.

Armada Collective

Criminal groups have operated under the "Armada Collective" name for many years now. In 2015, a group called "Armada Collective" carried out several DDoS attacks. In 2016, they reappeared and extorted money from several victims by threatening DDoS attacks, claiming to be capable of attacks at "over 1 Tbps per second [sic]." Whether or not this was actually the same person or group as the Armada Collective that was responsible for the attacks in 2015 is unknown. According to our research, the group collected several ransoms but did not appear to actually carry out any DDoS attacks in 2016.

In 2020, the Armada Collective is active again — though it is still difficult to discern whether this is the same group or a different group claiming the same name. In contrast to the 2016 Armada Collective "attacks," this attacker or group is actually following through on its threats to DDoS its targets, as in 2015.

Fancy Bear

Fancy Bear is a Russia-based group that carries out cyber crime and espionage. In the past, Fancy Bear has targeted governments, political figures, and journalists, mostly using spear phishing attacks and malware exploits. The group is perhaps best known for compromising the U.S. Democratic National Committee's servers and network in 2016.

There have not been any credible reports of Fancy Bear using DDoS attacks to achieve their goals. It is not likely that any ransom DDoS attackers actually represent Fancy Bear — likely they are merely impersonating Fancy Bear.

Cozy Bear

Cozy Bear is another Russia-based cyber espionage group that tends to target political figures or groups. They have developed their own malware toolsets, which they use in combination with spear phishing attacks to compromise networks and servers. As is the case with Fancy Bear, there are no credible reports of Cozy Bear using DDoS as an attack method.


If your organization has received a ransom note threatening a DDoS attack, what should you do?

Step 1: Do not pay the ransom

Meeting the attackers' demands does nothing to prevent a potential attack, since it does not give criminal groups any incentive to keep their word. An organization that pays the ransom may be seen as an even more desirable target, since they have shown a willingness to comply with illegal demands.

Step 2: Alert the appropriate law enforcement authorities

Extortion is a crime. If someone has attempted to extort money from your organization by threatening a DDoS attack, make sure to file a report with the authorities.

Step 3: Deploy DDoS protection

DDoS ransom threats may seem intimidating, but most DDoS protection vendors can provide more than enough protection against the threatened attacks. The largest publicly disclosed DDoS attack in history, at 2.54 terabits per second (Tbps), took place in September 2017 and was mitigated.


Stay online with assistance from Cloudflare

While ransom DDoS attacks are on the rise, DDoS protection can help keep your organization safe. Contact Cloudflare for instant protection if your organization is under attack — with a no-contract process, under-attack companies can be onboarded within hours.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.


Key takeaways

After reading this article you will be able to understand:

  • The recent spike in RDDoS threats

  • How RDDoS aligns with DDoS trends

  • Organizations behind the threats

  • Recommendations for what to do when you receive a RDDoS threat


Related resources


Dive deeper into this topic.

Get the Five Best Practices for Mitigating DDoS Attacks ebook to learn more about how to protect your organization from DDoS attacks.

Get the ebook

Receive a monthly recap of the most popular Internet insights!