Assuming your 6 characters were alpha+numeric+symbols, then at least that's better than ING/Tangerine and their exactly-6-numbers PINs.
Another option would be to add a TXT record with the challenge-response to the DNS. Control of the DNS literally means controlling the domain.
That's a planned feature, sadly it was considered low priority for the beta launch. Hopefully it'll be implemented in the next few months though.
It's a bit unusual that the extortion was paid and the attack continued-- it doesn't perfectly match the typical model of typical DDoS-for-ransom attacks.
Did the attack continue, or did the paid-off attacker stop only to be replaced by a new attacker who also wanted to get paid?
Mr. Smith's salary has increased by 350% over the past 20 years. If his original salary was $22,000 per year, what is his current salary?
First change 350% to a decimal: 350% = 3.5
Next, multiply the original salary by the decimal number: (22000) x (3.5) = 77000
After 20 years Mr. Smith's salary has increased from $22,000 to $77,000 per year.
Didn't his salary increase by $77,000, from $22,000 to $99,000?
To simplify it, if his salary had increased by 100% would that mean he was now making $22,000 (their logic) or $44,000 (my logic)?
With W2008 and newer, there are zero activation cracks that don't get patched, so people who pirate are pretty much stuck with W2003 if they want security updates.
Not sure about 2008, but 2008 R2 can be rearmed indefinitely. Not quite as good as an activation crack since it requires rebooting to safe mode to run a script to reset the rearm count every couple months, but that's no big deal if someone really wants to avoid paying for something.
Do not meddle in the affairs of troff, for it is subtle and quick to anger.