How to Respond to a Ransomware Attack: Lessons Learned
The Flagstaff Unified school district, back in September, became one of more than 300 to suffer a ransomware attack that forced officials to close schools for two days and work around the clock to get everything back up and running.
Education Week chatted with Zachery Fountain, the Arizona district’s director of communications, and Mary Knight, its director of technology, about what Flagstaff learned from the experience. This interview has been edited for length and clarity.
What exactly happened?
Fountain: We had a staff member who noticed something weird happening in terms of one of their processes, and they did the right thing and alerted IT. And IT promptly took action and was able to figure out that we had a case of ransomware that was a pretty nasty bug. We ended up going through the processes, evaluating what systems were impacted, what weren’t impacted, and at the same time evaluating what systems did we need for school.
As part of our containment strategy, we needed to sever internet connections. It wasn’t that we were locked out of all of our systems. It was that we made the decision to sever the internet and isolate the issue. We ended up canceling school for the next day [a Thursday] and then also on Friday to ensure that we were able to get everything up and clean.
[After] really a Herculean effort by our team here and also community organizations, we were able to get up and running for that following Monday. We were down for about four days, including two days on the weekend. But we were able to bounce back.
Knight: The most important thing is to have your backups in place. We were presented with email addresses for the ransomware but we did not contact them. We were fortunate that we had backups in place that allowed us to restore our systems.
What would you recommend to other districts to avoid paying a ransom?
Fountain: The big thing is having your team and your plans in place and prepare for not [just] an IT issue. It’s a school system issue and how are people going to react? What does this look like in terms of instruction in the classroom if teachers can’t get the data? What does it mean in terms of communication with stakeholders? There are going to be a lot of questions about general security. You just have to have all those things planned and know what your map is for your systems.
Knight: Have the resources that are required to help navigate through a situation like that. Most school districts don’t have a cybersecurity expert on staff. You want to have [those relationships] in place, not be looking for someone when these events happen.
(The district is part of Arizona’s “risk and retention” trust and had participated in its webinars and created an incident-response plan, she said.) “When we were working through this, we contacted the trust [a nonprofit corporation that provides the state’s school districts and community colleges with property and liability coverage] immediately.”
How did communications work?
Fountain: My biggest worry as communications director was that I didn’t want to say something that would invite a secondary attack. We wanted to be very clear that we were dealing with a cyber issue that was ransomware. It wasn’t a breach, so information wasn’t taken off our server.
I did 37 interviews in 12 hours or something like that, with local media, national media, and international media. We really worked to make sure that our internal stakeholders had that information before we did things that were public. We want them to have a solid base of information before we send it out to everybody.
How else can districts get ready for an attack?
Knight: Prepare an incident-response plan and know who your incident-command team will be. Having those roles defined prior to an incident is critical. Backing up to cloud environments is also critical as well. It’s important for schools to do an after-action review. You prepare, you have your response, and then you have your recovery and remediation.
As part of that recovery and remediation, you want to do an after-action review so you can process what occurred. This is a daily threat for everybody. It’s something that has to remain on your radar constantly. You need to stay up to date on what’s out there and learn from others. It’s not something you can just create and put away and not worry about it.
You’re constantly making those modifications so you can be as prepared as possible.
How long did it take for teachers to get back into instruction after being out for two days?
Knight: They were back at it Monday morning. Their laptops were all picked up, [and temporarily confiscated] and they got back to business. In our user agreement [for staff], it says we are not responsible for your data, that you need to be backing up your data. But for some people who hadn’t backed up their personal data to the district network or a cloud-based option, they didn’t have access to their data. For some, that didn’t mean much, but for others, if it was 20 years of lesson plans, that was a little tough for those folks.
We all have to be very intentional about where we are saving our data to.
Any last pieces of advice?
Fountain: Celebrate the achievements along the way. The days are long. You’ve gotta be taking care of your staff.