author photo
By Bruce Sussman
Mon | Sep 9, 2019 | 8:15 AM PDT

It looked like a bunch of parents registering their kids for classes.

Instead, they were teachers and staff handing in their laptops and devices following a major ransomware attack on the school district in Flagstaff, Arizona. 

The Associated Press paints the picture of what it was like:

... hundreds of teachers and other district employees on Friday turned in their Windows devices at a middle school so they could be scanned for contamination and have new malware protection installed.

In a process resembling student registration check-ins, employees filled out papers listing their names, ID numbers and contact information before proceeding to tables where devices were catalogued before being taken away for restoration.

If all goes well, the devices will be dropped off at their users' schools Monday morning.

"If we don't do this, we're at risk of re-infestation because there could be a contaminated machine that, when they turn the system back on, could cause us to lose all the work that we've done in the last couple of days," Superintendent Mike Penca said.

All that work has paid off.

Schools re-open after ransomware attack

As SecureWorld reported last week, Flagstaff Unified School District very suddenly canceled school, childcare, and all after-school activities both Thursday and Friday after the ransomware attack.

You can imagine how this upended family schedules like snow days do. Some parents expressed their frustration on Facebook about the sudden closure, and others questioned if the closure was real: "Has the district's Facebook page been hacked?"

Unfortunately, the attack and closure were real.

The District says it did not negotiate with hackers or pay a ransom. Instead, it spent several days getting things back online.

Finally, however, the District posted some good news about the cyberattack on its Facebook page Sunday night, September 9, 2019:

"We appreciate your patience as FUSD tackled an unprecedented challenge in the wake of a cyber attack," the district posted.

Most of those who replied to the District's message thanked the school district for its hard work. But there was one reply that shows you can expect some direct questions following a cyber incident:

"Are the systems secure and the computers and devices updated to withstand a cyber security attack? To what extent have any changes been made? What have you done differently to prevent an inevitable future concern or attack?"

Good questions, indeed. And they require a nuanced response.

As we often hear said at regional SecureWorld cybersecurity conferences, never promise you are secure.

Instead, the new tools and training have made you more secure than you were before.

Comments