DDoS extortion campaigns against large-scale distribution players

DDoS Demonstrative attacks with ransom request to avoid more disruptive attacks are becoming more and more frequent.

Some week ago I had an opinion exchange with a CISO of a large-scale distribution company and he tell me his experience with this kind of threat.

The first demonstration attack has started with a small DDoS targeted to only 1 IP address, with a data flow of 100 GBit/sec. After this first exploit the company has received a ransom request signed by Collective Lazarus. The request was about bitcoins payment within 7 days, to avoid a bigger and more disruptive attack.

About this scenario, our first consideration was that seven days are not a small time frame to organize a first defense, for this reason it's probably that it was a fake threat signed as Lazarus only with the purpose to increase panic effect but, if this request was really by Lazarus, their firepower is surely bigger than a canonical DDoS attack, so it could be possible that a bigger DDoS attack was a "trojan horse" to hide more sophisticated attacks.

Starting this considerations and going further this "lived life experience", the opened question marks are:

Are we ready to manage this kind of event with mental clarity?

Are retail/large-scale distribution players ready with their defence systems to answer to this malicious events?

How many "victims" have decided to pay to have the illusion to sleep peacefully ?

In these three articles we can find some interesting point of view.

https://www.techrepublic.com/article/ransomware-campaign-threatens-organizations-with-ddos-attacks/

https://www.welivesecurity.com/2020/08/27/ddos-extortion-campaign-targets-financial-firms-retailers/

https://portswigger.net/daily-swig/ddos-extortionists-posing-as-cyberspies-to-run-blackmail-scam