I used to run servers for a very popular service. I'm 99% sure people DDoSed our www for lolz and also to kick the tires on DDoS as a service vendors. We would get DDoS on a pretty regular basis, for exactly 90 seconds, +/- a few nodes that had bad clock sync and were 2 seconds off; which was exactly what you get from a free trial at DDoS as a service. I feel like we got a ransom request like once; but I can't remember if it actually corresponded to an attack, if it did, I don't think it was consequential.

Thankfully, it was almost always targetted at our www servers, which were not important for our service. Very occasionally, we'd get hit on the machines that we actually ran our service on, but between the consistent DDoS on www, and our own self-inflicted DDoS from defects in the client code we wrote for our users, our service was well prepared... if the DDoS went over line rate for the server, our hosting provider would null route it [1], but otherwise, we could manage line rate of udp reflection or tcp syn floods and what have you. From what I could tell, most attackers didn't retarget to our other servers when one got null routed.

[1] They did try a DDoS scrubbing service, but having our servers behind the scrubber was way worse than just null routing. Maybe the scrubbing could have been tuned, but as it was, it was better for us to just have the attacked servers lose connectivity to the public network.