UHSP
When LockBit Struck, Higher Ed Institution’s Cloud Backups Became the Last Line of Defense
.jpeg)
UHSP
Zachary Lewis
CIO & CISO, University of Health Sciences & Pharmacy in St. Louis
Figure Ransom Avoided
Backups Lost to LockBit
Clean Recovery
Like many universities, the University of Health Sciences & Pharmacy in St. Louis (UHSP) operates a mixed environment of on-premises systems and cloud services while balancing limited resources with the everpresent cybersecurity risk. When a LockBit ransomware attack compromised UHSP’s internal systems, their backup strategy became their last and strongest line of defense.
UHSP had implemented a layered backup strategy using Veeam, with primary and secondary backups on-premises and a fully isolated tertiary backup tier in Backblaze B2 Cloud Storage. Data replicated to Backblaze B2 was encrypted, immutable, and intentionally separated from UHSP’s production environment and identity systems to limit blast radius during an attack.
During the attack, Backblaze B2 backups remained untouched by LockBit and accessible to the UHSP team. They were able to restore critical systems without paying the seven-figure ransom. They avoided rushed decision-making, and were able to recover methodically from isolated, immutable cloud backups.
.jpg)
.jpg)
University of Health Sciences & Pharmacy in St. Louis is a private, nonprofit university focused on healthcare education and research, supporting a highly regulated academic and operational environment.
.jpeg)
UHSP uses Veeam backup software to protect on-premises servers, file shares, and databases that support academic, administrative, and operational systems. Primary and secondary backups are stored on separate on-campus infrastructure for day-to-day recovery. A tertiary backup tier replicates data to Backblaze B2 Cloud Storage, where backups are encrypted, immutable, and isolated from UHSP’s network and authentication systems. In the event of a major incident, Backblaze B2 serves as an independent recovery source when on-premises systems are compromised.
UHSP designed its backup environment with the assumption that prevention could fail.
This architecture ensured that no single compromise could eliminate all recovery options.
In April 2023, UHSP’s IT team initially believed a hardware failure had taken core systems offline. Within days, it became clear the university had been targeted by LockBit, one of the most aggressive ransomware groups.
While ransomware attacks often go undisclosed, Zach Lewis and UHSP shared their story in a now-published book, Locked Up, which fully deconstructs the aftermath of the attack and has helped reduce stigma so other organizations understand exactly what to do to prepare for and respond to an attack.
Our primary backup was there, we just couldn’t get to it because credentials were compromised. Without Backblaze, we would have been completely hosed. Object Lock was critical—it meant the attackers couldn’t take recovery off the table.
Zachary Lewis, CIO & CISO, University of Health Sciences & Pharmacy in St. Louis
As investigators worked to understand the breach, UHSP leaned on a recovery source that attackers could not touch.
Backblaze B2 became the first reliable foothold for recovery.
We didn’t think of Backblaze B2 as just storage. It was our last line of defense—separate from production, protected, and available when we needed it most.
Zachary Lewis, CIO & CISO, University of Health Sciences & Pharmacy in St. Louis
The original ransom exceeded seven figures, but UHSP avoided being forced into ransom-driven decisions. Having intact backups reduced urgency and negotiation pressure. IT teams could focus on validating the data and restoring systems deliberately. And leadership could communicate recovery paths with clarity and confidence.
Ultimately, UHSP was able to restore operations without paying LockBit for decryption. The attack permanently reshaped UHSP’s approach to cyber resilience. Immutability is non-negotiable. Backup testing frequency increased to quarterly. And tertiary cloud backups are a critical safeguard, not a redundancy.
.png)
