Scott Heiferman and Gary Burns had less than four minutes to decide whether to pay up or go down.
One Thursday morning, an email popped into their inbox informing Mr. Heiferman, one of the founders, and Mr. Burns, the chief technology officer of Meetup, a New York Internet company that connects groups offline, that their site would go down unless they paid $300 worth of Bitcoins.
Four minutes later, 40 times the company’s typical data flow crashed Meetup’s site, beginning a disruption that wouldn’t be resolved until the next Monday.
Meetup is one of several small web start-ups that have been hit recently by a wave of so-called denial-of-service, or DDoS attacks, in which attackers knock a victim offline using a flood of traffic and refuse to stop until their victims pay their ransom in Bitcoins. The amounts demanded are typically low — which seems like a lot of work for little payoff — but those who have been targeted say they think the nominal amounts are bait and could lead to future extortion and demands. If their company is willing to pay $300, for example, they might also be willing to pay $3,000 or $30,000 down the road.
Other start-ups that have been hit are Vimeo, the video-sharing company; Basecamp, a project management software company; Bit.ly, the link-shortening service; Shutterstock, the stock photography agency; and MailChimp, the email marketing provider.
The F.B.I. is looking into the attacks, according to two people close to the inquiry who would speak only on condition of anonymity because they were not authorized to speak publicly about a continuing investigation. They said the agency was operating under the assumption that the attacks were the work of the same culprit, or group of culprits. Jennifer Shearer, a spokeswoman for the F.B.I., declined to comment.
DDoS attacks in general are on the rise, according to Arbor Networks, a security firm in Burlington, Mass., after a “hockey stick” growth trajectory, meaning flat growth followed by an extreme increase in growth, resembling an image of a hockey stick. Last year, the frequency of such attacks jumped eightfold from the previous year, and the size of the attacks eclipsed previous peaks by over 200 percent, according to a report by the firm.
The result has been a boom in business for companies that specialize in protecting against DDoS attacks. These include Cloudflare, a four-year-old company based in San Francisco that spreads its clientele’s traffic across its many data centers and so can quickly recognize and filter out a DDoS attack before it hits a company’s network. It offers basic services free but charges for additional security, like reducing the severity of DDoS attacks. Most customers pay $20 a month, but large businesses can pay as much as $2,000 a month.
Other companies offering services like this include Akamai, based in Cambridge, Mass., which bought Prolexic, a DDoS mitigation service based in Hollywood, for $370 million in December, and Arbor Networks.
Executives at these companies admit that the wave of attacks has worked to their favor. For example, Matthew Prince, Cloudflare’s chief executive, said his company had increased revenue 450 percent last year, partly because of awareness of DDoS attacks.
Small tech start-ups have become a particular target of these attacks because they “have things of value that a DDoS attack can hurt,” said Andy Ellis, chief security officer at Akamai. “It’s the modern equivalent of someone walking into a shop and saying ‘That’s a nice business you’ve got here — shame if anything happened to it.’”
Victims essentially have two choices: Pay the ransom and pray the attackers don’t come back for more, or pay for a DDoS mitigation service. Companies also can sign up for website hosting services with giants like Amazon and Google that can accommodate larger flows of attack traffic.
Mr. Ellis of Akamai said it often did not make sense for companies to spend the money to build out a data infrastructure just to accommodate one large attack when they delt with only a fraction of that traffic on a daily basis.
“It’s not a wise trade-off,” Mr. Ellis said. “But it’s economics I like as a vendor in this space. I’ll be very honest about it.”
Security experts say a surprising percentage of victims pay the ransom to make the problem go away. Meetup’s executives said they decided early on that paying was not an option.
“There’s the moral hazard of engaging,” Brendan McGovern, Meetup’s chief financial officer, said. “Because if you were to pay, you can’t take them at their word that they will halt, or worse, you’ll get your name on a list in the criminal hacker world saying that you are a company that’s willing to pay.”
Ultimately, Meetup signed up with Cloudflare and was able to ward off the attacks without paying a ransom. But it clearly took a toll. Mr. McGovern compared the attacks at Meetup to a scene in the “The Walking Dead.”
“Imagine you run a coffee shop,” he told employees. “And zombies start coming in — millions of zombies — and you can’t sell coffee.”
Even after the attack was mitigated, the attacker continued to send increasingly whiny emails.
Other than that, the only remnant of the attack was a sticker on Mr. Heiferman’s laptop featuring Dr. Evil, the villain from Austin Powers, and $300 in big bubble letters. Another employee had made it and given it to him to lighten the mood.