John Anthony Smith: Will Your Company Succumb To Ransomware?

Saturday, May 22, 2021 - by John Anthony Smith
John Anthony Smith
John Anthony Smith

(John Anthony Smith, president of the fast-growing Conversant Group on the Southside, advises on Internet security after an attack by a Russian criminal gang on a U.S. pipeline company that caused many gas stations to run dry for several days).

It is very common for threat actors to leverage ransomware to coerce organizational or governmental leaders into dire situations that require the payment of a ransom to avoid extreme business loss or embarrassing exposure of sensitive data.  Ransomware is malicious code (a program/application/script) used by threat actors to lock all accessible data by using encryption keys, often managed by malicious key management servers on the Internet.  Once the data is encrypted, using complex algorithms that are often very difficult to crack, the attackers leave behind a ransom note in a text file, often placed on the desktop of all Microsoft Windows systems that have been encrypted. 


I am sure most of us have seen movies that contain kidnappings or grand theft in which ransom notes were left behind.  Many years ago, I made the trip to Maui, and as many know, Charles Lindbergh is laid to rest there.  So, I did some reading on his history, and I learned that his 20-month-old son was kidnapped on March 1, 1932.  A $50,000 ransom note was left behind on the windowsill of the child’s nursery.  Unfortunately, the child did not survive the ordeal.  It is a grim reminder that criminals, and cybercriminals like them, often do not care who they harm in their wake.  In terms of cybercrime, they are often self-motivated or nation state sponsored.  No matter their motivation, their damage is often painful to those involved.  Organizations and governments worldwide have sacrificed millions, if not billions, and likely lives, due to poor care and loss of other technologically managed resources through ransomware.  Sometimes, the victims of ransomware are chosen by mere chance via mass phishing campaigns; however, of recent history, more of these events are targeted.  Threat actors use spear phishing, whaling, mass Internet vulnerability scans, and other methods to select their victims.


When ransomware originally became a technique used by threat actors, the ransoms were often small, and if the organization had a means of recovery, the threat actor would most likely not collect the ransom.  In time, the threat actors learned that if they added backup (method of recovery) destruction and exploitation to their ransom requests they were more likely to get the ransoms.


Ransom demands are often, depending on the organization, in the multiples of millions.  Recently, it was reported that Colonial Pipeline paid a $5 million ransom.  In May 2020, Grumman Shire Meiselas & Sacks received an initial $21 million ransom demand; however, they did not pay. Gary Indiana was recently compromised with ransomware; however, the ransom demand has not, as of this writing, been published. Ireland’s Health Service Executive received a $20 million demand. It was reported just this week that one of the largest insurance companies in America paid $40 million in ransom, CNA.


Let me be clear at this point; if you find yourself in a ransomware event, do not negotiate with the threat actors.  Do not even start communications with them.  Please hire professionals, like Conversant Group, to advise on doing this properly.  There are federal laws you could be breaking, and you may limit your ability to recovery if you start negotiating with them first.


During a ransomware event, there are really two reasons an organization may have no option except to pay a ransom: (1) No ability to recover otherwise and (2) Prevent data exploitation.  Naturally, cybersecurity professionals and governmental entities advise to not pay threat actors.  Paying ransoms emboldens the criminals, and it enables them financially to enact more terror.  Thus, the professionals advise to not pay ransoms.  However, if your organization is in a situation of non-recovery, meaning you have no remaining backups to use for recovery, paying the ransom often becomes an act of survival.


Roughly about 4.5 years ago now, we worked our first breach recovery event that involved the threat actor destroying all the organization’s backups prior to “locking up” the company’s data.  Since, every attack we have worked has involved either encrypting or deleting the organization’s backups.  If your company fails to protect its backups, you will find your organization with a difficult choice: (1) Pay the ransom and decrypt the data or (2) Skip paying the ransom and rebuild all your company’s data manually. 


In our industry, there is a backup strategy called 3-2-1.  This means that the industry standard is always to keep three copies of your data: (1) production data, (2) first backup copy, and (3) second, remote backup copy.  Unfortunately, most companies entrust their survival completely to this strategy, and 3-2-1 are often all stored within domain accessible, non-immutable storage mechanism.  For a non-technical person, this simply means that all three copies of the data can be destroyed by ransomware.  You should not solely entrust your company’s fate to this backup strategy.  You must have additional, air-gapped copies of all your data.  Air gapping means that you have a copy of your backups in a form that cannot be destroyed by ransomware.  Further, the primary storage platforms employed should be immutable, meaning the data cannot be fully deleted/destroyed by a threat actor.

To add insult to injury, most companies are not even monitoring and testing their backup systems, and most simply do not have a plan for recovery.


Threat actors now, not only delete the backups and encrypt the data, but they also often first exfiltrate sensitive data (meaning they send copies of your sensitive data to their servers), and like with Lindbergh, they hold something precious to you hostage at threat of significant, negative outcomes.  The threat is the dropping of sensitive data about your clients, employees, or intellectual property to the Internet for public consumption.  During these situations, your organization may be advised to pay the ransom even if your organization has a means of recovery.


We have spoken publicly regarding the need for strong password policy (long passwords with no reuse) and MFA on all publicly exposed systems. Here our goal is to stress the importance of protecting, monitoring, and testing your backups. Have a plan!  In more than 75% of all assessments conducted by Conversant Group, we find significant issues with backups that are not being addressed.  There are a variety of underlying reasons, but no matter the reasons, you must protect your company’s data with appropriate backups.  This point also applies if you have fully converted to cloud infrastructure.


If the data is good enough to keep, it is good enough to back up properly! Defense and prevention are almost always less expensive than recovery.

* * *


John Anthony Smith can be reached at:



1513 Cowart Street

Chattanooga, TN 37408





Police Blotter: Disorderly Woman In McDonalds Drive-Thru Asked To Leave; Woman’s Not Sure If She Hit Pickup Or It Hit Her

Latest Bradley County Arrest Report

VIDEO: County Commission Meeting 10/5/22

McDonald's employees at 1117 E. 3rd St. requested police remove an individual driving a dark sedan from trespassing on their property. When the officer arrived, he saw the suspect’s vehicle in ... (click for more)

Click here for the latest Bradley County arrest report. (click for more)

Breaking News

Police Blotter: Disorderly Woman In McDonalds Drive-Thru Asked To Leave; Woman’s Not Sure If She Hit Pickup Or It Hit Her

McDonald's employees at 1117 E. 3rd St. requested police remove an individual driving a dark sedan from trespassing on their property. When the officer arrived, he saw the suspect’s vehicle in the drive-thru line. The driver said she was waiting for her order. The officer spoke with the manager who said before the officer arrived, the woman had been banging on the drive-thru window ... (click for more)

Latest Bradley County Arrest Report

Click here for the latest Bradley County arrest report. (click for more)


Soddy Daisy Needs A Real Emergency Room - And Response (2)

I am a longtime resident of north Hamilton County, living in what is now Soddy Daisy. A few years ago, I cut my leg using a chainsaw. My wife drove me to an emergency room in Red Bank. After waiting for what seemed like a long time, I was told I would need to go to their downtown location to be sewn up. They told me, “There’s nobody here who can sew you up!” Frustrated, my wife ... (click for more)

Roy Exum: As Others See Us

The picture shows a young blonde girl, her arm around her dad’s neck, as “she watches a man wearing a dog mask and (draped) in a flag that indicates he likes to pretend to be a dog at the Chattanooga Pride parade in Chattanooga, Tenn., on Oct. 2.” No, I wasn’t there but The Epoch Times was, and on Tuesday there appeared on its website a story with the headline: ‘Corporate-Sponsored ... (click for more)


Mocs' Ford, Person Tapped As TSWA Football Players Of The Week

Chattanooga’s Ailym Ford and Jay Person were named the Offensive and Defensive Players of the Week, respectively, by the Tennessee Sports Writers Association for their efforts in contests from September 26-October 2. Ford rushed 28 times for 101 yards and two touchdowns in the Mocs’ 24-16 victory at East Tennessee State. The Florence, S.C., native carried 18 times ... (click for more)

Dan Fleser: Bayou Weirdness Ahead For The Vols

The kickoff for Tennessee’s football game at LSU on Saturday is all wrong by bayou standard time. The Tigers typically prowl their stadium and stalk their opponents by moonlight. The atmosphere, no matter how hostile it will be for a 11 a.m. (central time) start, won’t match the decibel level of a night game, when the setting typically is fueled by a full day of . . . er, well ... (click for more)