The Sinagua Middle School parking lot remained steady with traffic Friday morning as nearly 500 Flagstaff Unified School District employees, laptop bags slung over their shoulders, streamed in and out of the school to turn in their devices for cleaning – cyber cleaning.

Just 48 hours after a ransomware attack prompted district officials to cut all its internet-based systems and cancel two days of classes, the district jump-started its digital restoration efforts as it continued to investigate the malware’s origin and damages.

When Friday’s closure was announced, FUSD certified staff were instructed to bring their Windows devices – those impacted by the ransomware – to the middle school for security scans and updating so systems can be brought back online in time for classes Monday morning.

Coconino High School teacher Jeremiah Smith said he brought along his iPad, too, just in case.

If all goes well, the devices will be dropped off at their users’ schools Monday morning.

“If we don’t do this, we’re at risk of reinfestation because there could be a contaminated machine that, when they turn the system back on, could cause us to lose all the work that we’ve done in the last couple of days,” Superintendent Mike Penca said.

By Friday morning, he said the district had made significant progress in rebuilding the servers and bringing systems back.


Mirroring the annual student check-in process, staff filled out papers listing their name, ID number and contact information before proceeding to tables grouped by letter of last name, where the devices would be catalogued and then wheeled off, piled high on black tech carts, to the headquarters of the restoration operation.

Long before staff arrived with their district devices in tow, the 40 desktop computers in the heart of the library, already cleaned and armed with new protection software, were fully occupied by teachers, administrators and other staff members as they learned how to install the necessary protections to the more than 2,000 district devices.

IT departments from other Flagstaff organizations, such as Coconino Community College, also joined.

“We’re a small community and they are very close to us so we want to help them out. They’d do the same for us,” said Brian Wilson, director of IT services at CCC.

After training, much of the team remained stationed at the middle school, but groups had also been released to other schools to update on-site computers, wielding flash drives and instruction sheets.

Members of the patchwork tech team had to power up each device, scan it for contamination and install new malware protection and other system updates. Any contaminated devices were pulled from the machine and treated separately.

The process began Thursday afternoon starting at the district administrative center and Penca said, at best, updating took 20 minutes per computer.

By just after 9 a.m. Friday, 12 laptops had been updated, with those in progress strewn throughout the room, connected to any available outlet.

Sheryl Wells, STEM coordinator at Killip Elementary, jumped between four laptops at once to monitor their progress, her blue Killip Cougars polo shirt a blur.

“You don’t want to just sit there and stare at the screen. We are moving and plugging in where we can,” Wells said.

Since the ransomware, a form of malware that typically requests payment in exchange for access to locked computers, was discovered on several district devices Wednesday morning, speed has been the key.

“Folks are diligent about looking for unusual things on their screens, any messages that pop up. A [ransomware] message popped up that was reported to myself and tech services and we took immediate steps to isolate those machines and isolate the district,” FUSD Technology Director Mary Knight said.

She said the ransom message did not include a specific dollar amount, but it did have untraceable contact information to encourage negotiation, an action she said the district would not even consider doing.

Though most teachers would be able to continue educating students without the internet, the loss of connectivity affects more than just lesson plans.

Penca explained that locks to school doors, the bell system, transportation, food service and even air quality controls all rely on their own digital systems, which were shut down and tested to see if they were affected by the malware. Once they are safe, they will be brought back online.

District representatives noted that attendance, also stored online, was a concern. It would be difficult to ensure the safety of students if the specific number of people within a building was unavailable.

“We know how disruptive this is to our families. Canceling school is one of the most difficult decisions I make as a superintendent and it’s not one I take lightly,” Penca said. “We just need to know, when we have kids back, that our school environment is safe and that we can operate as normal.”

When the ransomware was first found, access to the two largest and most critical systems – student information and finances – was immediately cut off, even though they are housed off-site.

“We cut off our connection to those to keep them safe, to make sure that all that data was safe. We wanted to make sure that those were protected and so we are not accessing those currently,” Knight said Friday morning.

Employee badge entry systems were the first to be restored (on Thursday morning) to allow teachers and administrators to access their schools.


Knight said the amount of data affected by the malware and whether it can be recovered is still unknown. An ongoing investigation by the district’s tech team, as well as contracted cybersecurity groups, should eventually provide answers.

FUSD has cybersecurity insurance to help cover the costs of these third-party experts, as well as the additional staff hours and any repairs to property damaged by the cyberattack.

During its May 28 meeting, the FUSD governing board approved a $1.18 million purchase of a five-year contract for security software to help stop such cyberattacks.

Penca said the software being installed this weekend was part of the overall cybersecurity plan that was already being implemented.

“There are things that we had put in place that helped us in this situation, but we weren’t really to the end point yet. There will be more steps that happen as part of our overall cybersecurity package. This just speeds up the timeline,” he said.

Eventually, additional protective software will also be installed on Apple devices. The district also plans to increase its digital safety trainings for students and employees.

Get local news delivered to your inbox!

* I understand and agree that registration on or use of this site constitutes agreement to its user agreement and privacy policy.

Kaitlin Olson can be reached at the office at kolson@azdailysun.com or by phone at (928) 556-2253. 


Load comments