Pandemic giving ransomware ‘greater attack surface’ as tactics shift, ex-FBI agent says

The rise of remote work has made it more difficult to secure networks, while ransomware actors evolve their methods, said a former top cybercrime agent in the FBI's New York office.
ransomware skull
(Getty Images)

A former FBI cybercrime investigator told StateScoop this week that the coronavirus pandemic’s effect of forcing entire organizations to work remotely has given ransomware actors a bigger canvas than before, while hackers’ tactics continue to mature into new threats.

The introduction of dozens, hundreds or thousands of personal devices and home Wi-Fi networks connecting into government IT infrastructure — as well as the surge in demand for digital government services — has the potential to stretch the public sector’s cybersecurity resources thinner than ever before, said Austin Berglas, a former assistant special agent in charge of cyber investigations for the FBI’s New York Field Office.

“Covid allowed all cybercriminals to have a greater attack surface,” said Berglas, who’s now the global head of professional services for BlueVoyant, a forensic investigation firm. “You’ve got everyone 100% remote. Think about all the additional machines on the network. [Bring-your-own-device], people using their own devices that aren’t centrally managed. People had to scramble really quickly, companies that had to support all the additional devices.”

Berglas’ outlook echoes what other cybersecurity experts said earlier in the pandemic. But his comments also came as BlueVoyant released a new report on the ransomware threat that state and local governments face, stating that attacks have grown more brazen and costly. While the pace of attacks BlueVoyant observed in 2019 was largely unchanged from 2018, hackers’ financial demands have grown exponentially, with the report showing some topping $1,000,000.


‘Sent by a trusted user’

Berglas said those incidents reflected a shift in ransomware attacks from a “spray-and-pray” method, in which hackers broadly distribute malicious links or attachments in hopes of getting lucky, to more targeted, “big game” hunting. In 2020, though, he said, the attack styles have shifted again to also include the theft and potential exposure of victims’ sensitive data, a practice first popularized by attackers using the Maze ransomware that struck Pensacola, Florida.

That shift, Berglas said, should force government entities to rethink how they prevent or respond to attacks.

“It changes the business decision dynamic,” he said.

The report from BlueVoyant, which works with ransomware victims and their cyber insurance carriers to investigate and remediate attacks, highlights a January incident — two months before the pandemic started in the United States — in which the Wisconsin cities of Oshkosh and Racine had several of their computer systems disabled. While both cities had secure, offline backups of their data, the immediate impacts were severe.


In Racine, the report states, the city’s websites, email, voicemail and bill-payment systems were knocked offline, while Oshkosh was “rendered supine.”

But when BlueVoyant investigated the incidents, it found that both could be traced back to phishing attempts that may have been delivered by actors manipulating legitimate government email addresses that had been swept up in earlier data breaches, and then obtained on dark-web marketplaces.

“Phishing emails are more convincing and malicious if they are sent by a trusted user,” the report reads.

In Oshkosh, BlueVoyant found 555 unique instances of local-government email address being included in 38 different data breach events, while in Racine, the company found 266 examples of credential compromise in 18 breaches that occurred between February 2017 and May 2020.

“Essentially, what happened is somebody opens an email that looks rather innocuous, but it’s very bad for your system, so somebody opened it and that’s what happened,” Oshkosh City Manager Mark Rohloff is quoted as saying in the report.


Later, BlueVoyant expanded its analysis of compromised email accounts to 23 Wisconsin counties that shifted from Democratic to Republican during the 2016 presidential election, and discovered 4,518 instances of a government email address implicated in 64 data breaches, including three instances in a massive 2016 breach of AdultFriendFinder, a social network for casual assignations.

Outbound traffic

Berglas, the former FBI agent, offered state and local governments many familiar recommendations, including two-factor authentication and other cyber hygiene steps. He also said non-federal government agencies should continue migrating to the .gov top-level domain, which includes features like two-factor authentication and preloading sites using the encrypted HTTPS protocol.

But he also said IT officials need to do a better job of monitoring not just the web traffic coming into their networks, but the outbound signals their systems are sending, which can offer some indication if they are being targeted or have already been compromised.

“We were able to see outbound traffic going to known bad infrastructure,” he said. “That’s not the bad infrastructure scanning. That’s indicative of a compromise. A lot of people are looking at inbound traffic, but they’re not looking at outbound traffic. We want to keep the bad stuff out, they’re already in.”



Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts