More details have emerged about a cyber attack targeting New Zealand organisations that generated a warning from the security services on Wedneday.

At least four New Zealand organisations have been targeted by cyber-criminals who are demanding they each pay about $9000 or face an online assault.

The National Cyber Security Centre, a division of the Government Communications Security Bureau (GCSB), issued a rare warning about the blackmail threat on Wednesday.

It said that "several" organisations had been sent emails telling them that if they didn't pay up they would experience a "sustained denial-of-service attack" that would knock them offline.

The centre said that the blackmailers had followed up their threats with attacks that lasted up to an hour, to demonstrate their threat was credible.

Barry Brailey, chairman of the non-profit New Zealand Internet Task Force, said it was aware of four New Zealand organisations that had been threatened. They had been told that if they paid 25 bitcoins they would never hear from the blackmailers again.

A bitcoin is a hard-to-trace virtual currency which trades at about $350.

Brailey would not name the threatened organisations, none of which he said had succumbed to the demands.

Internationally, the criminals had targeted the likes of online gaming and e-commerce companies that needed to be online and "might even have gone after some banks".

Organisations in Australia and elsewhere overseas appeared to have been targeted by the same criminals last week, he said.

Brailey said the threat was not an idle one and should be taken extremely seriously.

But he urged organisations not to pay-up. If they did, more New Zealand organisations and those in their particular industry could expect to be targeted.

"If one news site paid, for example, they could all expect to be targeted. New Zealand would be seen as a soft target and they would just keep hammering."

Denial-of-service attacks usually involve criminals harnessing vast network of computers that have been infected with malware and using them to bombard a victim's website with requests for page loads, so they seize up under the weight of traffic.

In this case, the criminals did not seem to be able to harness vast amounts of traffic, Brailey said.

"It is big enough to disrupt websites but it is not so much traffic that internet providers are noticing it straight away."

The attacks might knock smaller organisations offline and might, for example, disrupt Kiwis from accessing New Zealand online banking sites if a bank was targeted and a customer was trying to access their site from overseas.

Because malware-infected computers are distributed around the world, victims could potentially keep their websites running within New Zealand by shutting them off to international visitors.

Brailey assumed some organisations, somewhere, had paid the blackmailers. "Otherwise they just wouldn't bother."