Connect with us

Hi, what are you looking for?


Cyber Insurance

Arizona Schools Provide Model for Managing Ransomware

On Wednesday, September 4, 2019, ransomware was discovered at Flagstaff Unified School District, Arizona. Schools were closed on Thursday and Friday of that week, but re-opened after the weekend. No ransom was paid, and only two days schooling was lost.

On Wednesday, September 4, 2019, ransomware was discovered at Flagstaff Unified School District, Arizona. Schools were closed on Thursday and Friday of that week, but re-opened after the weekend. No ransom was paid, and only two days schooling was lost.

Now Moody’s new weekly Public Finance Credit Outlook newsletter has highlighted the case as an example of how to prepare for and mitigate the effects of ransomware. It says three things were fundamental: distributed processing across several third-party organizations; a well-prepared and executed response plan; and cyber insurance.

The distributed processing between various organizations including Northern Arizona University, Coconino County and private vendors amounted to a form of network segmentation. “This,” comments Moody’s, “limited the potential spread of malware across systems and allowed the district to continue performing important operations, such as vendor payments, payroll and debt service repayment, even if its own systems were not immediately available.”

While commercial organizations might not be able to implement an identical distributed processing plan, they could implement well-controlled internal network segmentation. If this were done, the effect would be similar — any malware infestation would be limited in its ability to affect the whole network. This is not easy, but certainly doable with next gen firewalls and privileged access management.

The second element of Flagstaff’s success highlighted by Moody’s is the district’s well-planned and executed incident response plan. The schools were closed not because of loss of computing, but over safety concerns that systems such as cameras, door locks, HVAC, and communications might have been compromised.

Computers were immediately disconnected from the internet and shut down. They were given factory resets to ensure that no malware could be left on the computers to re-infect the network.

However, Moody’s adds that budgetary preparation for unplanned incidents also benefits the financial running of the schools (which have in excess of 9,000 students and revenue of around $95 million). The schools have an annual ‘snow’ budget for five days closure. While it is unusual to invoke two snow days in September, it nevertheless means that if the winter is not too harsh, there will be no financial impact from the schools’ ransomware closure.

There will, of course, be additional financial costs from the incident, including upgrading security and hiring third-party vendors to improve security to prevent any future incidents. “Most, if not all, of these additional costs,” says Moody’s, “are likely be covered by its cybersecurity insurance policy, although district management says the total financial cost will not be known for at least another month.”

Advertisement. Scroll to continue reading.

At these Arizona schools, no ransom was paid, the ‘offices’ were closed for just two days without any detrimental financial effect, and any long-term costs eliminated through insurance. The three basic aspects of defense (including network segmentation), planned and effectively executed incident response, and cyber insurance is a model that could be followed by many organizations in the fight against ransomware and malware in general.

As far as Moody’s is concerned, the Flagstaff, AZ Unified School District is ‘credit positive’ (rated Aa1) despite being affected by ransomware.

Related: Moody’s Downgrades Equifax Outlook to Negative Over 2017 Data Breach 

Related: Ransomware Attack Hits School District Twice in 4 Months 

Related: The Growing Threat of Targeted Ransomware 

Related: ‘Coordinated’ Ransomware Attack Hits 23 Towns in Texas

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights