Flagstaff Unified School District officials have canceled school Friday, as its tech team continues to combat a cyber threat discovered Wednesday morning, leaving families to find alternative daytime plans for their students.
District officials have confirmed the situation is a ransomware attack — the attacker has demanded payment in bitcoin in exchange for the locked data.
The FUSD tech team, alongside third-party cybersecurity experts, are now working to clean the devices that have been touched by the malware and equip all devices with additional protection before they are reconnected to the district’s internet.
“There has been no conversation about paying the ransom,” FUSD spokesman Zachery Fountain said.
District-wide internet services were taken down at approximately 3 p.m. Wednesday to prevent the malware from spreading and the team worked overnight Wednesday and throughout Thursday to address the problem.
Officials could not confirm if any personal, identifiable information has been compromised.
Systems like campus entry, attendance and communication systems (all unavailable when the internet is down) were the primary cause for canceling classes because they could affect student safety. The decision was made by the district’s incident command team, which includes representatives from the superintendent’s office, human resources and academic services.
Though progress has been made in “securing critical FUSD systems,” a district statement said the work will need to continue through the weekend to allow students to return to school on Monday.
“FUSD understands this decision impacts families and the community. We appreciate your patience as we work through this situation,” the statement continued.
Both missed school days will be counted as snow days and must be made up.
“There will be further communication with parents as we figure out what that means for our schedule,” Fountain said.
Much like a Flagstaff snow day, the two unexpected school closure announcements left many FUSD families scrambling to find a place for their children during the work day. Despite the change in plans, though, they remained appreciative of the efforts to protect their students.
Jennifer Bromley Zimmer, a medical transcriptionist who works from home, was able to keep her children at home Thursday, but the mother of five FUSD students – including 6-year-old quadruplets – said she did not get any work done.
“Snow days are spontaneous. Just like this was spontaneous,” she said in a Facebook message. “[Except that] snow days can be slightly more predictable due to storm gauging.”
Zimmer said her initial response to the cybersecurity issue was disbelief. She thought the announcement of Thursday’s school cancellation itself was a message from hackers.
Fortunately, Jolene Branson’s plans did not change with the closure because her two children, ages four and seven, are spending the week with their father, who had the day off.
“As a parent, I'm glad the school district decided to cancel classes today. It shows that they really do care for the well-being of our kids,” Branson said Thursday in a Facebook message.
Unable to change her Thursday plans, Courtney Ludwig took her two 9-year-old sons with her to her classes at Northern Arizona University, where she is working to complete her bachelor’s degree in elementary education.
She feared her professors would complain; however, it instead prompted in-class discussions.
You have free articles remaining.
“It was something that we were able to talk about then: how everything relies on technology and how that makes it a safety issue. It’s something future teachers will have to know about,” Ludwig said.
She said she usually spends her Fridays volunteering at her boys’ school, Marshall Elementary, so they will instead spend the day together at home.
In response to the closures, local organizations offered their services to keep kids safe and active throughout the day, as they have before.
“You have to be super in touch with what parents' needs are. Being parents ourselves, we know how hard it can be to scramble at the last minute to find an appropriate place for your child,” said Kristi Baty, one of the owners of Summit Gymnastics Academy.
The gym welcomed more than 30 children from ages four to 12 to its day camp Thursday, where they had a full day of rotations between different gymnastics centers and the playground.
Baty said most of the attendees were returners from previous events, but the gym did see at least five new faces.
The Flagstaff Family YMCA also opened its doors Thursday, welcoming seven elementary schoolers to its camp day, which included play time, sports and crafts. Executive director Chris Aungst said the group spent extra time outside, enjoying the beautiful weather on this unexpected “snow day.”
Although these camps each cost a fee, Aungst said the YMCA can provide financial assistance for families interested in its day camp program.
Also a parent of a Knoles Elementary student, Aungst was empathetic for the school district as it works through this situation.
“[I’m feeling] frustration in the world we live in and that this threat is even out there,” he said.
A profitable virus
“Malware is software that’s meant to hide, obscure its purpose and be able to do malicious things without the user being aware of it until it’s too late. Ransomware makes [users] aware,” said Wesley McGrew, director of cyber operations for HORNE Cyber, who specializes in the use of “ethical hacking” to reverse engineer ransomware and find solutions to prevent such cyberattacks.
He said this form of malware, which usually targets as many agencies as possible rather than cherry-picking, is one of the most prevalent because of its high return on investment for attackers, who are generally organized crime groups, but could also be individual hackers.
“There’s a lot of complexity in trying to sell stolen data, but people who developed ransomware found out that the best people to sell data to is the people it was stolen from – your data means something to you, so you are the most likely to want to pay for it,” McGrew said.
Most ransomware will affect Windows computers and encrypt personal documents like text files and photographs because, unlike software that can be reinstalled, these documents cannot be replaced easily, he said. The virus does not typically affect the operating system of the computer because it wants users to see the ransom message and engage with it by paying the fee to salvage their data.
With hackers having the advantage in a ransom situation, the process seems repeatable, even after a victim pays the ransom. Surprisingly, McGrew said this is unlikely.
“Generally, it works out more often than you would think. If a ransomware operator gets the reputation of not giving back data after being paid, word would get out and they wouldn’t be trusted. There’s a level of ‘customer service,’” he said.
The best way to prevent a ransomware attack is to have backups stored on different servers as well as frequent testing to prepare for an attack.
McGrew said it can take municipalities days or even weeks to recover from a ransomware attack, depending on the size of their networks, and for smaller groups, contracts with outside security companies are helpful.