DDoS with ransom demand (tabletop)

  • Target audience: SOC, Network Ops, SIRT, Comms

  • Duration: 90 minutes

  • Complexity: Medium

  • Format: Fast-paced tabletop with public pressure

Scenario briefing

Friday, 16:45 GMT

Your public-facing website and APIs begin experiencing severe performance degradation. SOC identifies large-scale DDoS attack: 50+ Gbps traffic from botnet. Within 10 minutes, services are completely unavailable.

Email arrives at security@: “Pay 5 BTC in 2 hours or attack continues for 72 hours. Check your reputation.” Attack group provides Bitcoin address.

Customer support is flooded with complaints. Social media shows angry customers. Weekend starts in 15 minutes.

Key challenges

  • Immediate availability restoration

  • Fast decision on ransom (don’t pay? pay?)

  • Weekend staffing limitations

  • Public communication under pressure

  • Balance mitigation cost vs. ransom cost

  • Customer trust management

Decision rounds (15 minutes each)

Round 1: Immediate response

  • How do we restore service quickly?

  • Do we have DDoS mitigation in place?

  • Who do we escalate to?

  • What do we tell customers right now?

Round 2: Mitigation vs. payment

  • Technical mitigation options and costs?

  • Ransom payment considerations?

  • What’s our policy on paying extortion?

  • Who has authority to decide?

  • What’s the business impact of 72-hour outage?

Round 3: Sustained response

  • Attack continues despite initial mitigation

  • 30 minutes until ransom deadline

  • Customer anger escalating on social media

  • Competitor mentions your outage in their marketing

  • Do we change our decision?

Round 4: Communication crisis

  • Local news outlet calls for comment

  • Industry forum discussing your vulnerability

  • Internal team wants to “name and shame” attackers

  • Legal warns about communication risks

  • What’s our statement?

Round 5: Recovery and aftermath

  • Attack stops (facilitator choice: paid ransom or technical mitigation succeeded)

  • Services restored but reputation damaged

  • Executive team wants explanation

  • Board wants assurance this won’t happen again

  • What changes immediately?

Facilitator injects

  • “Cloud provider offers enhanced DDoS protection at €50k/month”

  • “Threat intelligence shows this group always follows through on threats”

  • “CFO asks: isn’t it cheaper to just pay the €30k ransom than lose €500k in revenue?”

  • “Competitor tweets: ‘Unlike some companies, our infrastructure is DDoS-proof’”

  • “Customer threatens legal action for breach of service agreement”

Complexity factors

Add these for advanced teams:

  • Simultaneous internal security alert (distraction)

  • Key technical person unreachable (vacation)

  • Regulatory body asks for incident update

  • Payment processing complications (Bitcoin expertise)

More on how to respond to DDoS and ransom attacks?