The money is in most cases greatest motivation to make something bad, in this case to attack Electrum servers. But such an attack can only cause problems with sync, respectively preventing users from sending / receiving transactions. The fact that Electrum users are still losing funds is not because of DDoS attack, they are use versions of Electrum which are exposed to phishing message. Users from GitHub used the version 3.2.2&3.2.2.
This list of attacking IP should help, but each server owner must use it, and I see it can be set to update new bad IP every few minutes. This will make attacks less effective and ultimately result in stopping attacks.
I assume they are attacking the Electrum's servers so their malicious ones can be the only ones working. The user will try servers/close and reopen Electrum until one synchronizes (the bad one), which will give him the “please update” fake message. Obviously this only works in old versions, but the servers are the same, so we all can feel the attack.
This just increases the chances of a uninformed user getting phished.