If someone attacks your website with a distributed-denial-of-service (DDoS), demanding money to make it stop, what's the best possible response? I suspect the best idea is to do absolutely nothing, or to reinforce and update your infrastructure. My reasoning is that the criminal has a particular business model and a limited set of resources at their disposal, large though those resources may be. Their plan is to bring down your website, get you to pay up, then move on to another target. If you make no response at all, what can they do? Your website is already offline. Their worst possible response is to keep it offline for longer, but that means they're devoting more of their resources for a longer time to a target that won't pay out. It becomes worthless to them. Before too long, it becomes far more worthwhile for them to devote those resources elsewhere, since they stand to actually profit from a different target.
Like spam, if everyone, worldwide, stopped responding to any of it, it would all completely dry up overnight, except for a few weirdos who get off on the power and don't care about the money.
Mokalus of Borg
PS - But, like spam, if it wasn't paying off, it wouldn't exist.
PPS - Crime doesn't pay, but it does scale well.