Businesses Pay $100,000 To DDoS Extortionists Who Never DDoS Anyone

Dan Goodin, reporting for Ars Technica: In less than two months, online businesses have paid more than $100,000 to scammers who set up a fake distributed denial-of-service (DDoS) gang that has yet to launch a single attack. The charlatans sent businesses around the globe extortion e-mails threatening debilitating DDoS attacks unless the recipients paid as much as $23,000 by Bitcoin in protection money, according to a blog post published Monday by CloudFlare, a service that helps protect businesses from such attacks. Stealing the name of an established gang that was well known for waging such extortion rackets, the scammers called themselves the Armada Collective.An excerpt from CloudFlare blog post:Given that the attackers can't tell who has paid the extortion fee and who has not, it is perhaps not surprising to learn that they appear to treat all victims the same: attacking none of them. To date, we've not seen a single attack launched against a threatened organization. This is in spite of nearly all of the threatened organizations we're aware of not paying the extortion fee. We've compared notes with fellow DDoS mitigation vendors and none of them have seen any attacks launched since March against organizations that have received Armada Collective threats.

Identify Poor Management

[ranton]

The least they could do is send out a list of all companies who paid extortion fees so people could identify inept management who should be replaced.

I can't understand how companies can be so stupid

[Sycraft-fu]

What the hell can you possibly hope to gain by paying off DDoSers? If you do pay them, they have literally no incentive not to just keep extorting you, and then others can do the same. Ya getting DDoS'd sucks but the good news is any sizable DDoS costs them money too, they have to rent out a botnet so they can't sustain it for very long.

This is much different than paying "protection money" to a criminal organization in the physical world. While, yes, it is still extortion at least there you have a benefit you get: They will legitimately protect you from other criminals. Organized crime is not interested in others muscling in on their business so they do actually work to protect businesses that buy them off. It is a heavy handed situation, as if you don't pay they will go after you themselves, but you can see why it would make some sense for a business to buy in. If the police are unwilling or unable to protect them, this can.

With DDoS gangs on the Internet, there's nothing of the sort. They are just saying "Pay us and we won't bother you," but they can go back on that, or double dip. They can easily pretend to be someone else and demand you pay up, and others can also demand you pay up. I think the more you pay the more likely you are to have a reputation of an easy mark who can be extorted at will.

Opportunity cost wins

[TheCarp]

See, they COULD setup DDOS infrastructure, they could spend time herding bots, and refreshing their botnet, but, every bit of effort they spend is cost. Cost that is being spent on something other than finding people who will pay.

It is like going to trial, a lot more companies will threaten legal action than will go through with it. Its cheap to threaten, its expensive to follow through, especially if it doesn't work out and becomes 100% cost.

In short, contacting someone takes effort, following through with a threat takes more on top. The follow through is, quite literally, throwing good money after bad, and has a much lower ROI than the initial contact.

All they have done is cut out the unprofitable part of their business.