John Anthony Smith: Will Your Company Succumb To Ransomware?

Saturday, May 22, 2021 - by John Anthony Smith
John Anthony Smith
John Anthony Smith

(John Anthony Smith, president of the fast-growing Conversant Group on the Southside, advises on Internet security after an attack by a Russian criminal gang on a U.S. pipeline company that caused many gas stations to run dry for several days).

It is very common for threat actors to leverage ransomware to coerce organizational or governmental leaders into dire situations that require the payment of a ransom to avoid extreme business loss or embarrassing exposure of sensitive data.  Ransomware is malicious code (a program/application/script) used by threat actors to lock all accessible data by using encryption keys, often managed by malicious key management servers on the Internet.  Once the data is encrypted, using complex algorithms that are often very difficult to crack, the attackers leave behind a ransom note in a text file, often placed on the desktop of all Microsoft Windows systems that have been encrypted. 


I am sure most of us have seen movies that contain kidnappings or grand theft in which ransom notes were left behind.  Many years ago, I made the trip to Maui, and as many know, Charles Lindbergh is laid to rest there.  So, I did some reading on his history, and I learned that his 20-month-old son was kidnapped on March 1, 1932.  A $50,000 ransom note was left behind on the windowsill of the child’s nursery.  Unfortunately, the child did not survive the ordeal.  It is a grim reminder that criminals, and cybercriminals like them, often do not care who they harm in their wake.  In terms of cybercrime, they are often self-motivated or nation state sponsored.  No matter their motivation, their damage is often painful to those involved.  Organizations and governments worldwide have sacrificed millions, if not billions, and likely lives, due to poor care and loss of other technologically managed resources through ransomware.  Sometimes, the victims of ransomware are chosen by mere chance via mass phishing campaigns; however, of recent history, more of these events are targeted.  Threat actors use spear phishing, whaling, mass Internet vulnerability scans, and other methods to select their victims.


When ransomware originally became a technique used by threat actors, the ransoms were often small, and if the organization had a means of recovery, the threat actor would most likely not collect the ransom.  In time, the threat actors learned that if they added backup (method of recovery) destruction and exploitation to their ransom requests they were more likely to get the ransoms.


Ransom demands are often, depending on the organization, in the multiples of millions.  Recently, it was reported that Colonial Pipeline paid a $5 million ransom.  In May 2020, Grumman Shire Meiselas & Sacks received an initial $21 million ransom demand; however, they did not pay. Gary Indiana was recently compromised with ransomware; however, the ransom demand has not, as of this writing, been published. Ireland’s Health Service Executive received a $20 million demand. It was reported just this week that one of the largest insurance companies in America paid $40 million in ransom, CNA.


Let me be clear at this point; if you find yourself in a ransomware event, do not negotiate with the threat actors.  Do not even start communications with them.  Please hire professionals, like Conversant Group, to advise on doing this properly.  There are federal laws you could be breaking, and you may limit your ability to recovery if you start negotiating with them first.


During a ransomware event, there are really two reasons an organization may have no option except to pay a ransom: (1) No ability to recover otherwise and (2) Prevent data exploitation.  Naturally, cybersecurity professionals and governmental entities advise to not pay threat actors.  Paying ransoms emboldens the criminals, and it enables them financially to enact more terror.  Thus, the professionals advise to not pay ransoms.  However, if your organization is in a situation of non-recovery, meaning you have no remaining backups to use for recovery, paying the ransom often becomes an act of survival.


Roughly about 4.5 years ago now, we worked our first breach recovery event that involved the threat actor destroying all the organization’s backups prior to “locking up” the company’s data.  Since, every attack we have worked has involved either encrypting or deleting the organization’s backups.  If your company fails to protect its backups, you will find your organization with a difficult choice: (1) Pay the ransom and decrypt the data or (2) Skip paying the ransom and rebuild all your company’s data manually. 


In our industry, there is a backup strategy called 3-2-1.  This means that the industry standard is always to keep three copies of your data: (1) production data, (2) first backup copy, and (3) second, remote backup copy.  Unfortunately, most companies entrust their survival completely to this strategy, and 3-2-1 are often all stored within domain accessible, non-immutable storage mechanism.  For a non-technical person, this simply means that all three copies of the data can be destroyed by ransomware.  You should not solely entrust your company’s fate to this backup strategy.  You must have additional, air-gapped copies of all your data.  Air gapping means that you have a copy of your backups in a form that cannot be destroyed by ransomware.  Further, the primary storage platforms employed should be immutable, meaning the data cannot be fully deleted/destroyed by a threat actor.

To add insult to injury, most companies are not even monitoring and testing their backup systems, and most simply do not have a plan for recovery.


Threat actors now, not only delete the backups and encrypt the data, but they also often first exfiltrate sensitive data (meaning they send copies of your sensitive data to their servers), and like with Lindbergh, they hold something precious to you hostage at threat of significant, negative outcomes.  The threat is the dropping of sensitive data about your clients, employees, or intellectual property to the Internet for public consumption.  During these situations, your organization may be advised to pay the ransom even if your organization has a means of recovery.


We have spoken publicly regarding the need for strong password policy (long passwords with no reuse) and MFA on all publicly exposed systems. Here our goal is to stress the importance of protecting, monitoring, and testing your backups. Have a plan!  In more than 75% of all assessments conducted by Conversant Group, we find significant issues with backups that are not being addressed.  There are a variety of underlying reasons, but no matter the reasons, you must protect your company’s data with appropriate backups.  This point also applies if you have fully converted to cloud infrastructure.


If the data is good enough to keep, it is good enough to back up properly! Defense and prevention are almost always less expensive than recovery.

* * *


John Anthony Smith can be reached at:



1513 Cowart Street

Chattanooga, TN 37408





Latest Hamilton County Arrest Report

PHOTOS: Grateful Gobbler 5K Walk/Run

East Ridge Apartment Damaged By Fire Thursday Morning

Here is the latest Hamilton County arrest report: BENNETT, HENRY LEE 4620 SHAWHAN ROAD CHATTANOOGA, 37411 Age at Arrest: 31 years old Arresting Agency: Hamilton County POSSESSION OF ... (click for more)

An apartment in East Ridge was damaged by fire Thursday morning. East Ridge Fire, East Ridge Police, and Hamilton County EMS responded at 8:52 a.m. to 604 Bacon Trail, to a reported apartment ... (click for more)

Breaking News

Latest Hamilton County Arrest Report

Here is the latest Hamilton County arrest report: BENNETT, HENRY LEE 4620 SHAWHAN ROAD CHATTANOOGA, 37411 Age at Arrest: 31 years old Arresting Agency: Hamilton County POSSESSION OF CONTROLLED SUBSTANCE --- BOONE, JOSEPH BRYAN HOMELESS CHATTANOOGA, 37421 Age at Arrest: 52 years old Arresting Agency: Chattanooga OBSTRUCTING HIGHWAY OR OTHER PASSAGEWAY POSSESSION ... (click for more)

PHOTOS: Grateful Gobbler 5K Walk/Run


The I-75/I-24 Interchange Disaster - And Response (4)

We all waited a couple of years for the grand new interchange of I-75/I-24. Little did we know what a disaster it would become. To go right on 75 North, you must get in the left lanes. To go left to I-24, you must get in the right lanes, and that's where the deaths will occur. The overpass from the right lanes onto I-24 West has created a small mountain which brings the tractor ... (click for more)

Roy Exum: The New Samaritan

The stranger at the door was shivering and cold. He asked to use the phone to summon an Uber driver. He was barefoot and said he was homeless, so Daniel Rider loaned him a coat so the man would get warm faster. As they talked, Rider even made him a sandwich. All the while the stranger was polite, cognizant and did not appear nervous or troubled. Then the police surrounded the house ... (click for more)


John Hunt: Still More Reasons To Be Thankful

It’s hard to believe that yet another year has passed on by, but I guess it beats the alternative. Today is the one day of the year when a nation and world takes some time to express gratitude, giving thanks for all the blessings in their lives. I’ve always said that I celebrate Thanksgiving every day and that my list of things to be thankful for just continues to grow. I ... (click for more)

John Shearer: Recalling Some Memorable Football Games From 50 Years Ago, Including Those Of Red Bank And Georgia

As one who lately has been remembering what all was going on in my life 50 years ago, I cannot forget what was taking place in the world of football in late November 1971, when I was a starry-eyed young fan. Perhaps most significant was the Oklahoma-Nebraska football game played on Thanksgiving afternoon, Nov. 25 – the same day of the month as 2021’s Thanksgiving. No. 1 Nebraska, ... (click for more)