I think their biggest mistake was to pay the ransom to someone who was abusing your servers by DDoSing them. I'm sure there would be cyber crime agencies that could have helped them track them down. Also, a lot of ddos protection services available online who could have helped them mitigate the attack.
how did they know that they are paying the right group who attacked them and how did they know that the BTC address is for the attackers
Maybe the address was given to them by the attackers. In the file locking attack, the victim will be given a bitcoin address straight away.