An attacker does usually have limited resources. When he runs his attack the malicious software becomes more visible and people start noticing them and shutting them down. Running the attack for shorter reduces the probability for the software to be discovered. If your Internet is slow for half an hour you may not think anything was wrong but after two hours you would have noticed that something was off and would have tried to find the source of the issue. Service providers also takes some time to notice the unusual behavior and start looking into the problem. So for an attacker it is much safer to run the attack for a shorter time and then attack again another time.

There is also other possibilities. The victim might often be able to mitigate the problem in an hour either by making costly changes to their infrastructure or by paying the attacker the ransom. For normal sized companies it takes about an hour to identify the issue, allocate funds to mitigate it and then implement the mitigation.