Arizona School District Cancels Classes Due to RansomwareLack of Internet Access Could Jeopardize School Security, Official Says
This story has been updated
Schools in Flagstaff, Arizona, were closed on Thursday after ransomware appeared on the district's network. Friday's classes were called off while the recovery effort continued.
The attack is the latest in a devastating run of ransomware infections that have disrupted school districts, businesses and cities across the U.S. The malware encrypts files with a key held by the attackers, who usually make ransom demands in the virtual currency bitcoin (see Texas Says 22 Local Government Agencies Hit by Ransomware).
The Flagstaff Unified School District discovered the ransomware infection on Wednesday morning, according to Zachary Fountain, the district's director of communications. He gave a phone interview with local broadcaster ABC 15 on Thursday.
By 3 p.m. Wednesday, the district made the decision to shut down internet access at all of its facilities to contain the infection, Fountain said. The district has 15 facilities that serve 9,600 students, according to its website.
Fountain said the district made the decision to cancel classes for two days in deference to school security. The lack of internet access means the district would not have access to the systems it needs to operate normally, hampering its ability to quickly react if something happened on its campuses, Fountain said.
"We understand that it [cancelling school] makes a huge impact to our families by making this decision," Fountain says. "We don't take it lightly, but we thought this was the best course forward.
"Progress was made today in securing critical FUSD systems, but unfortunately, work will need to continue through the weekend to ensure that students can return to school on Monday."
On Monday, the district's website posted a message that classes would resume today.
Fountain said he couldn't answer a question about what systems the ransomware disrupted but that an investigation was underway by third-party cybersecurity experts. It doesn't appear personally identifiable information was compromised, Fountain said, although an investigation is continuing.
The district tweeted about its decision to close school. In response, Sandy Davis - an associate professor of English education at Northern Arizona University - writes: "The electronic door locks (accessible with teacher ID cards) are part of the system that has been compromised, which makes safety a huge issue."
The electronic door locks (accessible with teacher ID cards) are part of the system that has been compromised, which makes safety a huge issue.— Sandy Davis (@alittlesandy) September 5, 2019
Schools across the U.S. have been upgrading their security because of shooting incidents. In 2012, Flagstaff's district issued $20 million in bonds to fund infrastructure improvements. A document shows that those upgrades include surveillance cameras, interior door locks and outside door access controls.
The document doesn't describe whether those systems are internet-connnected, but Fountain's comments point to that potential problem: If the network is down, the doors and security cameras may not function, a drawback of the increased reliance on network-connected devices.
Ransomware has proven to one of the most menacing cybersecurity threats for cities, schools and hospitals. While awareness around ransomware is arguably at an all-time level, the ease with which the attacks can be launched and low chances of being caught has made it an extremely profitable criminal enterprise.
The primary advice for organizations is to be ready before an infection by ensuring backups are up-to-date and are segregated from the network. That enables a quick recovery, but also requires a substantial investment. Long procurement cycles and tight budgeting by cities and schools means those costs may be pushed down the line.
But school districts are capable defending themselves, writes David Kruse, a technology risk consultant and cyber risk practice leader with Hausmann-Johnson Insurance in Madison, Wisconsin.
"By implementing proactive security processes that include employee awareness training and a documented and repeatable set of security controls, districts can prevent many of the most common types of attacks including ransomware," Kruse writes.
Although the FBI has recommended that victims do not pay ransoms, it's often the easiest way to recover from an attack. Although morally vexing, paying ransoms has become an accepted practice when weighing the recovery cost and network down time (see: Please Don't Pay Ransoms, FBI Urges). The FBI has also published a ransomware guide for CISOs.
A series of stories by independent investigative website ProPublica show some forensics firms that purport to be able to unlock encrypted data actually negotiate with ransomware attackers. And ProPublica's latest story says that paying a ransom is sometimes the preferred resolution for insurers, as that fee is cheaper than paying the recovery costs. (See: Do Ransomware Attackers Single Out Cyber Insurance Holders?)
Lake City, Florida, which was hit by ransomware in June, approved paying a ransom through its insurer, Beazley, ProPublica reports. The city paid a $10,000 deductible, while Beazley paid the balance of the $460,000 ransom. Lake City officials tell ProPublica that Beazley recommended paying the ransom, as recovering from the attack would have exceeded the city's $1 million coverage limit.