The emergence of the DDoS-as-a-service industry has lowered the costs for attacks to $25 or less, allowing criminals with no technical expertise to reach profit margins of up to 95 percent, according to a report released last week.
And the prices of the attacks are likely to drop even further, as more insecure connected devices come online and are hijacked by criminal botnet operators, said Michael Canavan, senior vice president for Kaspersky Lab North America at Kaspersky Lab ZAO, which produced the report.
Sometimes, the criminals don't even have to launch the DDoS attack to get the ransom as their targets simply pay up.
Plus, with a DDoS attack, there is no need to infect the target's machines. A simple email to the victim is enough to get the ball rolling.
And the extortionists aren't the only ones making money. The average asking price of a typical DDoS attack is $25 an hour, the report said, while the costs of running that attack with 1,000 rented cloud-based servers is just $7 an hour.
Using infected IoT devices for the botnet drives the prices even lower.
"The Internet of Things has the potential to have a big impact for DDoS attacks as you move into the future," Canavan said. "It really makes security of IoT a critical topic around DDoS attacks."
The low cost of the services also means that attackers can go after a wider variety of targets than they did previously, he said.
"Before, it was the large organizations," said Canavan. "This opens up the opportunity for additional motivations driving attacks going forward."
Anyone with a website or an e-commerce platform is a possible target, he said.
"CSOs need to consider all the assets they have externally facing and how they can be affected by DDoS attacks, and looking at the cost-benefit analysis of having anti-DDoS solutions," he said.
It also opens up more opportunities for attackers who are politically motivated, or who just want to do random damage, he said.
And because the services isolate the buyers from the attack itself, companies can launch attacks against their competitors.
"It opens up the door for different motivations behind the attacks," he said.
According to a recent survey of InfoSec professionals, 34 percent of companies were hit by a DDoS attack in 2016.
And 17 percent said that they received a ransom denial of service threat, said the report, released earlier this year by Radware.