Zach Lewis still remembers that sinking feeling. It was April 13, 2023, at 4:30 in the morning when his phone rang — the University of Health Sciences and Pharmacy’s servers were down. He thought it was a hardware failure. The school had been running on end‑of‑life equipment, and his team worked through the night to get 95 percent of campus operations restored by the next day. Then everything crashed again.
When Lewis and his engineers dug into the hypervisor, they found a README file from LockBit. “When you find a ransomware note in your systems when you’re having problems, that’s about the worst feeling you can get,” Lewis recalls in a candid podcast interview about surviving the attack. “You just feel it in your stomach, like everything sort of slows down, and you’re like, ‘This is gonna be bad.’”
What followed was two months of sleepless nights and a brutal lesson in what cyber‑resilient storage actually means when the threat actors are already inside. Lewis is writing a book about the experience, titled — Locked Up, because he believes the industry’s culture of silence around ransomware is hurting people.
READ MORE:
The bottleneck for AI isn’t the model, it’s the data
The backup that wasn’t there
The first real punch came when Lewis’s team tried to access their primary backup system. Active Directory had been encrypted, so they couldn’t log into the backup server. The local administrator password? Stored in the university’s password manager — also encrypted. “My backups are right there. Literally just a username and password away. Can’t get to them,” Lewis says.
A team member had written down the credentials for a tertiary, fully offline backup — “probably against policy,” Lewis admits, “but it saved us.” Without that copy, the university would have faced a stark choice: pay LockBit’s $1.25 million ransom or lose everything. It wasn’t enough to “have backups.” They had to be reachable when identity systems were down and protected from the same blast radius as production.
Another 1:00 AM call
Hundreds of miles away, a Florida county IT director learned a similar lesson from a different angle. Around 1:00 AM in 2023, his service desk manager called about suspicious logins –administrative accounts were being deleted. “I immediately drove to the emergency operations center and started unplugging the internet to stop command and control,” he later told Cohesity’s cyber emergency response team in a published case study about the county’s recovery.
Ransomware encrypted roughly 350 servers. The county was only halfway through migrating to Cohesity’s immutable storage platform, but the most critical systems — financial management, court records, had already been moved. Restoring a 150‑gigabyte server from Cohesity took about 30 minutes; the same server on the old solution took 90 to 120 minutes due to an intermediate recovery step. Within 72 hours of forensic clearance, mission‑critical services were back online. Zero data loss and no ransom paid.
The county’s architecture made the difference: three backup copies: one local, one in a colocation facility 200 miles away, and a third in Cohesity FortKnox, an isolated cyber vault in AWS requiring quorum approval to change settings or delete data. Even with compromised admin credentials, attackers couldn’t touch the vault.
Air gaps, vaults, and the emotional toll
Lewis didn’t have that level of isolation. During the LockBit incident, attackers found and wiped the university’s secondary backup while his team was still assessing the damage. “They continued moving through our environment… Our EDR systems missed these moves because they don’t run on the hypervisor OS level,” he wrote in a detailed technical breakdown of the attack.
READ MORE:
FCC bans all new foreign-made wireless routers over security fears
For weeks, Lewis juggled forensic investigators, FBI agents, insurance reps, outside counsel, and dark‑web negotiators. LockBit initially claimed to have stolen 75 gigabytes of sensitive data, then escalated to 175, then 300. When the countdown timer hit zero and the data went live, the actual haul was 2.5 gigabytes – four old Social Security numbers and one immunization record. “Could you imagine paying $1.25 million for two gigs of files?” Lewis asks. But he’s quick to add: if those files had been crown‑jewel research, the math could have been very different.
Lessons from the trenches
Practitioners who’ve survived ransomware keep landing on the same points. Lewis and the Florida county director arrived there from very different environments.
Offline, immutable backups are non‑negotiable. In both cases, isolated copies that couldn’t be altered or deleted, even by administrators, were the only reason ransom payments stayed theoretical. Lewis’s secondary backup was wiped because attackers could reach it. The county’s FortKnox vault, requiring quorum approval in a separate environment, was untouchable.
Test recovery under realistic failure conditions. Lewis had done tabletop exercises, but nobody had ever walked through “Active Directory is down, the password manager is encrypted, and you can’t log into the backup server.” The Florida county had validated not just that backups existed, but how fast real workloads could be restored and what the runbook looked like at 1:00 AM. When everything digital failed, Lewis’s team fell back on printed incident response plans and passwords in a physical safe in another building. Paper looked pretty modern that week.
Speed matters as much as safety. The county’s 30‑minute restores versus 90‑plus minutes on the legacy product translated directly into how fast courts, payroll, and public services came back. Faster recovery also shrinks the window where executives might seriously consider paying out of desperation.
Harden at the hypervisor. LockBit encrypted Lewis’s VMware ESXi hypervisors directly, below where traditional endpoint tools can see. Storage and backup teams have to account for that layer – how to detect and recover from attacks that start at the infrastructure plane, not just inside a VM.
Breaking the silence
“When I give this presentation, I always have a slide that asks the audience, ‘Hey, raise your hand if you’ve had a cyber incident,’ and no one raises their hand,” Lewis says in a recent video interview about surviving the LockBit attack. “But then I put a QR code to anonymously submit, and it’s like 80 percent of the room responds.”
That silence is part of why the same mistakes keep happening: skipping MFA on remote access, assuming configs are “good enough,” treating backup as a budget line instead of a security control. Lewis’s forthcoming book, Locked Up, aims to break that pattern with an honest account of what happens when a real incident collides with plans that looked solid on paper.
He’s back to normal operations now, refreshed hardware, tighter configs, deeper respect for offline backups. “There’s no pause button,” he says. “You’re making decisions with imperfect information and a clock that never stops.”
For IT professionals building or rebuilding storage strategies in 2026, his message and the Florida county’s experience land in the same place: design for the day when everything goes dark. When that call comes, your architecture and your runbooks — not your intentions, decide whether you’re negotiating with attackers or watching a progress bar move in the right direction.
