Ransom DDoS attack - need help!

Just an update for those following. We have custom in house software that
watches the traffic flows from our edge routers and automatically
blackholes any ip getting targeted. The blackhole gets sent upstream which
is what we did to maintain the network for our customers during the first
attack. We did not suffer any network outage because of the attacks other
than our public facing website which honestly is not critical. Since we
submitted this thread originally we have gotten two responses from "Armada
Collective". One basically a reminder telling us we had 24 hours left to
pay. The next came tonight as they were supposed to be hitting us. The
second response said they were supposed to be hitting us but decided to
give us two more days to get the cash into bitcoin. As of right now we have
not replied to them and have no plans to do so. We never had plans to
respond or pay them, although telling them whats on my mind sounds
appealing. We have contacted the FBI and are working with them providing
info. As for protecting our network from future attacks we put all public
facing web sites behind Cloudflare and changed the ips from what they were.
We left the old ips nulled at our edge and with our providers. We plan to
null any ip they decide to hit and and wait it out. As of right now all
they have done is take our website offline briefly so not much of a
problems as it has not caused our customers issues. Thanks for all the help
and info that has been provided and we plan to update this thread as things
unfold. I know there are others that have had similar demands (several have
reached out off list.) so hopefully the info is useful.

Suggest you take a look at the presos I posted earlier and look into S/RTBH, flowspec, some limited QoS, and some preemptive ACLs so that you aren't forced into completing the DDoS.

FWIW the exact same thing (identical initial ransom email) happened to us
two weeks ago. The "2 day" message was received on December 3rd. The
group claiming responsibility has yet to follow through.

The messages came from a various bitmessage.ch addresses.