Ransomware, Content

Arizona Schools Ransomware Attack: Recovery Update

Students returned to Flagstaff (Arizona) Unified School District (FUSD) schools on September 9 following a ransomware attack that forced 15 schools serving more than 9,600 students to close on September 5 and 6.

The ransomware attack, which infected multiple district servers, was first discovered on September 4. District officials reportedly worked over the weekend to try to secure its Internet-facing systems and assess damage from the cyber extortion. The infection involved some 2,000 devices, reports said. Security personnel from a local Community College and other organizations are helping the school district’s internal security team, according to the Arizona Daily Sun. The district didn’t say if managed service security partners had also been called in to help with the recovery process.

At this point, the hackers have not been identified, nor are they likely to be, based on previous ransomware attacks on schools. District Technology director Mary Knight confirmed that the hackers had left a ransom note that did not demand a specific dollar amount to unlock the district’s systems. Instead the kidnappers left a note inviting the school district to negotiate with them. Knight told the Arizona Daily Sun that the district would not haggle with the crooks.

Ransomware Attacks Arizona Schools: The Recovery

To isolate the infection, which involved the school district's Windows-based systems, officials removed the servers and clients from the network. Teachers and district employees relinquished their systems so they could be examined for malware and new anti-virus software installed. As a result, the district had to close the affected schools until its business systems and back-ups were up and running. In the meantime, staffers used the middle school's library secured computers.

"If we don't do this, we're at risk of re-infestation because there could be a contaminated machine that, when they turn the system back on, could cause us to lose all the work that we've done in the last couple of days," Superintendent Mike Penca said.

While school districts may not seem to be lucrative targets for hackers, they are increasingly targeted as the low hanging fruit for unsophisticated cyber crooks scanning the internet. Under-resourced school districts may have outdated systems easy to ransom for money and data. Flagstaff is the latest in a string of ransomware hits on school districts in recent months. Other noteable attacks have hit school districts in Louisiana, New York, Oklahoma and Virginia. And, that may be just the beginning.

Some battles so far: (via The Hill)

  • Louisiana: Gov. John Bel Edwards declared a statewide emergency last month in response to ransomware attacks on three school districts, and authorized state resources and cyber assistance to help the districts.
  • New York: In late August, Rockville Centre school district in Long Island, New York paid hackers nearly $100,000 to recover data from a Ryuk ransomware attack. The same malware was used in another attack on a neighboring school district in Mineola, New York. That district, however, declined to pay the ransom and chose to restore its data from backups. In late July, an attack took down the Syracuse, NY school district’s computer system.
  • Oklahoma: Broken Arrow Public Schools were victimized when an attacker encrypted their network and demanded payment to unlock it.
  • Virginia: Both the school district and the county government in Spotsylvania County were the victimized by email scams in which they paid $600,000 to a scammer, believing they were paying for a new football field.

While the war so far is one-sided in the cyber kidnappers’ favor, state governments have begun to fight back:

  • New York: The state’s Education Department on July 29 requested that its regional information centers and Big 5 school systems — Buffalo, Rochester, Syracuse, Yonkers and New York City — take its warehouse offline to scan for malware and vulnerabilities.
  • North Dakota: Enacted new law last April that enables the state’s Information Technology Department to oversee a cybersecurity strategy for all executive branch state agencies, as well as counties, cities and school districts.
  • Texas: In June, Gov. Greg Abbott signed a bill requiring school districts to adopt cybersecurity policies. The legislation mandates that the superintendent of each school district appoint a cybersecurity coordinator to serve as a liaison with the Texas Department of Information Resources.

MSPs Also Suffer Ransomware Attacks

MSPs have also suffered ransomware attacks in recent months. The fallout has included:

Hackers worldwide have been hitting MSPs of all sizes — not just global technology service providers. The FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about such attacks.

Amid those challenges, the MSP industry (spanning technology companies, service providers and more) could soon face a “crisis of credibility” if the market doesn’t take major steps to more effectively mitigate ransomware threats, cyberattacks and associated fallout, ChannelE2E and MSSP Alert believe.

In response, MSP software providers and their channel partners are increasingly activating two-factor authentication as a means to stop hackers from entering systems.

Additional insights from Joe Panettieri.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.