Ransomware & Ransom DoS, Why They Are Similar But Different

This post is also available in: French German Italian Portuguese (Brazil) Spanish Russian

Since 2020, ransomware and ransom denial-of-service (RDoS) have become ubiquitous with ransomware attacks grabbing headlines nearly every week. While ransomware and ransom DoS have a common objective and some of their tactics overlap, their techniques and success rate are quite different, and so is the threat and potential impact for organizations. Over time, as both threats evolved, they have been cross-leveraging reputation and techniques.  


Ransomware attacks leverage a crypto-locking malware that destroys systems and makes data inaccessible. Crypto-locking malware needs to be deployed on servers inside the organization. Attackers need to breach the network or a device inside the network and then move laterally across the organization to impact as many systems and lock as much data as possible. Initial access is typically provided by Initial Access Brokers, the middlemen who use their own methods to breach and gain a foothold in networks and then sell that access to other threat actors, mostly ransomware gangs or their affiliates. 

Ransomware attacks render systems inoperable and data inaccessible. In many cases, sensitive data is extracted with a potential risk of data leaks.  

Ransom DoS 

RDoS attackers leverage denial-of-service attacks to extort their victims. By disrupting online services, they can impact the business, productivity and reputation of an organization. Attackers target online resources such as websites, domain name services, web APIs, gaming lobbies, etc. to render online services inoperable and impact an organization’s reputation. They can also impact the productivity of organizations by targeting voice, email and remote access in branch offices or from remote workers. Other targets include internet connectivity required to access cloud applications, production plants that depend on connectivity for remote operations and the cloud for logistic data exchange with resource planning applications and external organizations. 

It is important to note, unlike Ransomware attacks, RDoS and DDoS attacks in general do not breach networks or systems. No data is stolen or compromised during the attacks.  

An RDoS attack starts with the attacker sending a private message, for example by email using a privacy-minded email provider, asking for payment of a certain ransom amount to prevent an organization becoming the target of their next attack. If an organization decides not pay within a set deadline, the attackers will start a DDoS attack and continue until the ransom is paid. Typically, the ransom demand increases every day the victim refuses to pay.  

In reality, DDoS attacks tend to disappear as soon as the actor finds their attempts being successfully mitigated. They last for several hours, change vectors trying to evade the detection and mitigation systems, might spur up again several days after failed attempts, but ultimately the extortionists are forced to walk away empty-handed. 

[You may also like: Why Understanding Cyber Criminals Behavior and Tools is Vital]

(stats for 2021, all currency in USD) Ransomware Ransom DoS 
Objective Financial gain Financial gain 
Tactic Extortion Extortion 
Primary Technique Crypto locking DDoS 
Impact Permanent (until recovered) Transient (while attack lasts) 
Ransom currency Bitcoin Bitcoin 
Average ransom demand $5.3 million average [1] $5,000 up to $1 million [2] 
Average ransom payment $570,000  ~ $0.0  
Largest payout $40 million [3] $6,000 in 2015 [7] 
Success rate 70% [4] Very low 
Estimated Damage cost $1.85 million average [5] $9 to 12$ million [6] 
Defense Defense-in-depth, segmentation to limit impact, but no silver bullet Adequate DDoS protection service  

Ransomware Tripple Extortion 

Techniques leveraged by Ransomware operators have evolved and diversified to increase the potential to reach their objective. As victims got better prepared and backups readily available to restore and recover from crypto-locking malware, Ransomware operators started exfiltrating sensitive data that would give them more leverage over the victim. If the victim still was not impressed, operators started threatening with DDoS attacks and pressured their victims into coming back to the negotiation table. 

Ransom DoS actors posing as Ransomware gangs 

The success, impact and drama surrounding highly visible ransomware gangs has not escaped the attention of other criminals. In one of the recent RDoS campaigns targeting VoIP providers in UK and Canada, actors posed as ‘REvil,’ an infamous ransomware gang responsible for the devastating attacks on JBS SA and Kaseya Ltd. Similar to ransomware operators announcing new victims on underground blogs, the RDoS actors posing as ‘REvil’ shared their ransom letter through Pastebin and extorted one of their victims, Voip.ms, in public on Twitter, aiming to increase the pressure on the victim.  

Figure 1: Actor posing as ‘REvil’ publicly exposing their threats on Twitter 

[You may also like: How to Respond to a DDoS Ransom Note]

Figure 2: screen capture of ransom letter shared publicly on Pastebin by RDoS actor posing as ‘REvil’ 

Defending against Ransomware and Ransom DoS 

Speaking from personal experience, I have yet to see a DDoS attack that blasts through our defenses. That said, there is always a small window of time where bad traffic can potentially leak while detection algorithms are crafting automated signatures to block bad traffic and tune the signatures to avoid false positives that would block legitimate traffic. But in general, there is, in my experience, no reason to pay the ransom when protected by an adequate DDoS service.  

Ransomware, on the other hand, is a very hard threat to defend against and eliminate. Ransomware operators have been organizing their underground ecosystems and gathered a lot of following from skilled hackers-for-hire and affiliates that are happy to share the profits from large extortion campaigns. The incentive has become too big, and the demand for hacking skills and resources on the underground has been growing ever since ransomware operators have had successful campaigns. With highly motivated threat actors looking for payments from organized cybercrime groups, attacks have shifted from automated to human operated attacks. It is one thing to defend against automation, but far more difficult to defend against human intelligence and perseverance driven by multi-million-dollar payouts.  

[Like this post? Subscribe now to get the latest Radware content in your inbox weekly plus exclusive access to Radware’s Premium Content.]

Footnotes and References 

  1. Extortion Payments Hit New Records as Ransomware Crisis Intensifies (paloaltonetworks.com) 
  1. Ransom demands fluctuate, campaigns in 2020 were found to ask as much as 20BTC while more recent campaigns by an actor posing as ‘The Cursed Partriarch’ settled for as little 0.06 BTC 
  1. 81 Ransomware Statistics, Data, Trends and Facts for 2021 | Varonis 
  1. Study: 70 Percent of Businesses Hit with Ransomware Paid the Ransom | Healthcare Innovation (hcinnovationgroup.com) 
  1. The True Cost of Ransomware (backblaze.com) 
  1. Bandwidth.com expects to lose up to $12M following DDoS extortion attempt – The Record by Recorded Future 
  1. Update regarding the DDoS attack – ProtonMail Blog 

Pascal Geenens

As the Director, Threat Intelligence for Radware, Pascal helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, did extensive research on Hajime and follows closely new developments of threats in the IoT space and the applications of AI in cyber security and hacking. Prior to Radware, Pascal was a consulting engineer for Juniper working with the largest EMEA cloud and service providers on their SDN/NFV and data center automation strategies. As an independent consultant, Pascal got skilled in several programming languages and designed industrial sensor networks, automated and developed PLC systems, and lead security infrastructure and software auditing projects. At the start of his career, he was a support engineer for IBM's Parallel System Support Program on AIX and a regular teacher and presenter at global IBM conferences on the topics of AIX kernel development and Perl scripting.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center