Surviving a LockBit Ransomware Attack: The ROI of Visibility

In August 2023, while thousands of students at William Jewell College were hauling mini-fridges and textbooks into dorms, the invisible, digital heart of the campus was flatlining.

There was no internet. No email. Even the HVAC system, tied to a compromised network, had shut down in the sweltering Missouri heat. The culprit? LockBit, a prolific ransomware syndicate that just hit Boeing days prior. For Boeing, it was a data exfiltration headache; for William Jewell, a small liberal arts college, it was an existential threat during its most critical revenue window of the year.

For many security teams, David vs. Goliath mismatches are the new normal, especially in the education sector. Higher education has become a playground for threat actors who view universities as soft targets: environments with massive attack surfaces, backlogs of technical debt, and IT teams forced to do their best MacGyver impersonation with limited budgets. Unlike a Fortune 500 company with a dedicated SOC, many mid-sized institutions rely on annual vulnerability scans that become obsolete the moment they are printed. When a group like LockBit goes down a geographic list of targets, they aren't looking for a challenge; they’re looking for the path of least resistance.

For Nick Gicinto, an alum and veteran security leader with experience at the CIA, Tesla, and Uber, the call for help from his alma mater was a homecoming he never expected. He arrived to find a campus in chaos and an insurance-mandated incident response process that was more focused on compliance than actual closure.

Nick’s experience on the front lines of this rescue demonstrates that cybersecurity resilience is about more than technical recovery. In 2026, nearly 140 new vulnerabilities are being found each day, and attackers are more sophisticated than ever before. This onslaught has forced CISOs to shift their philosophy: you can no longer build a program around the hope that you’ll catch every flaw. True resilience now relies on radical, real-time visibility. 

Greg Pollock, UpGuard’s Director of Research, sat down with Nick at RSAC 2026 to peel back the curtain on this attack. What follows is the full, unfiltered transcript of that conversation. In it, Nick explains why he had to sideline the standard IR playbook, how he purged the network, and how he now uses third-party validation to turn abstract security metrics into ROI for non-technical leadership.

This article originally appeared in the May 2026 issue of The UpGuardian, a monthly newsletter dedicated to cybersecurity storytelling. If you like this story, subscribe to receive future issues of the newsletter directly in your inbox.

Resilience under fire: Nick Gicinto on surviving LockBit

Editor’s Note: The following transcript has been edited in places for readability. 

Nick Gicinto: I was at home in August of 2023, which was move-in weekend for our college. And as an alum, I happen to live a couple of miles from the campus. I got a phone call saying, “Hey, something really serious has happened at the school, and we need some help.” 

Now, the college knew that I had a cybersecurity background, but they didn’t have a cybersecurity team. I arrived on campus not really understanding what was going on or what I was going to face. And what I saw was that the campus was completely shut down. When all the students had come to move in, there was no internet, and there was no email. You have everybody descending on campus, and there was nothing to be able to coordinate any of the logistics or that experience for students to show up for the first weekend and move into their dorms. If you know much about higher ed, you also know that there are only two times of the year when the higher ed community gets to realize revenue, and that’s at the beginning of each semester. When the semester begins, tuition payments finally clear their accounts. And because the accounts were shut down for fear of compromise, the college couldn't realize revenue. 

This was truly an existential threat to a small, private liberal arts college. We were hit with LockBit ransomware the same week Boeing was hit for 60 gigabytes of data. And I didn’t think it was fair that a small private liberal arts college had to defend itself against the same threats that were also successful against a company like Boeing. So, I stepped up as a volunteer, as an alum, to help them through the process of working this ransomware attack. 

Unfortunately, what we found when we brought the college’s incident response vendor in was that they were following a playbook of check-box exercises that the insurance company wanted them to follow. These exercises weren't really sufficient in being able to tell us whether or not our network was still compromised. We didn’t have any information from the forensics investigation about how they got in or what we did to prevent them. We also knew that 60% of ransomware victims get hit again, because they don’t close the vulnerabilities or gaps before they either pay the ransomware or they decide not to pay, and then, once they restore from their backups, they get hit again. I felt like it was a race against time to be able to identify how we got hit and how we could close the gap to ensure we didn’t get hit again. 

A college of this size may be able to survive ransomware once, but it certainly can't survive it twice. Higher ed is already under assault, at least in America these days, with enrollment down following COVID. They need as much revenue as they can possibly get, and they cannot afford to have these types of attacks incapacitate them and compromise their reputation.

The anatomy of a LockBit ransomware attack

Greg Pollock: Nick, without getting into private details, what did you find out in terms of the forensics? Because, as threat researchers probably recall, LockBit is known for being extremely prolific. At the time, they were the most prolific ransomware group, and generally targeted the lowest hanging fruit using already exposed credentials or known vulnerabilities.

NG: Yeah, I think this was a pretty classic operation for LockBit. And we also heard after the fact that LockBit hit several other universities close to us. Almost like they were just going down a list, looking at colleges geographically and then just hitting them all at once, kind of like a surprise attack.

Conducting their attacks during move-in weekend increases the chaos, pressure, and urgency that a college has, and particularly might increase the chances that they might pay, right?

But what I found is that most higher ed institutions are a very soft target. You would think, and you would expect that they would have MFA across the board. You would expect that they would be sufficiently progressed towards moving towards cloud for protecting at least the student data and the critical datasets and things that matter most to the college.

What I sort of found out when I got there was that most of the things that would be intuitive to us, or intuitive to a security team, particularly from my experience coming from places like Uber, Tesla, and the CIA. Here, they just cannot focus on it as a matter of prioritization because they’re struggling to keep the lights on in other places. And so, the amount of technical debt that existed, the amount of shadow IT that existed, and the fact that they were mostly relying on one annual scan of their environment were just totally insufficient.

They needed a complete overhaul of people, process, and technology, which I think is what a lot of colleges are probably facing. They’ve got an overworked IT team that’s trying to keep the network up with bubble gum and toothpicks. They don’t have the resources. They don’t have the bandwidth. They also don’t have the cyber training and expertise. But they’re expected to provide the accessibility and the security at the same time, and they just can't do it.

So LockBit very easily took advantage of that. My goal is to think about how we can prevent this from happening again. How do we make our college a hard enough target where we’re not going to be victims of those low-hanging fruit types of attacks anymore?

Ransomware timing: why attackers strike on holidays

GP: When you talk about times of the year that are really vulnerable, threat responders deal with that all the time. When it’s Christmas Eve for us, it’s Monday morning for financially motivated attackers. Are there other times of year or ways in which that behavior manifests?

NG: I mean, there’s something about Friday at 6:00 PM that bad guys really enjoy, or chaos just seems to manifest itself, right? So I think that’s typical. We kind of knew that holidays were going to be problematic.

For bigger companies with a larger attack surface, you can be hit so many different ways that I don’t think attackers generally wait for a particular time. When they find something good, they go after it as fast as they can. And so [at Uber, Tesla, and the CIA] it was incumbent upon us to be hyper-sensitive and vigilant and aware of our attack surface vulnerabilities, more so than a college is.

Bypassing the traditional IR playbook to find patient zero

GP: Yeah, that’s a great point. At those enterprises, you’re doing constant monitoring, you have lots of resources. Here, you’re just trying to be hard to hit. 

Let’s move on to how you addressed this. So you come in, and it’s in total chaos. But you have in your mind a mental model for how you’re going to work through this and build a new program. So take us through that.

NG: Yeah, so the three things I think about as a CISO are I want to know what’s going on inside, I want to know what we look like from the outside, and I want to know what our perimeter looks like. So I focused on internal scanning as a priority, which I’ll tell you, most higher ed institutions, they don’t invest in vulnerability scanning. I don’t exactly know why, other than I think it’s probably one of the last things they think about because they think more traditionally like: “Okay, we’ve gotta have endpoint protection” or “We’ve gotta have phishing protection, so we can watch our email.” They don’t really think about vulnerabilities, nor do they have the staff to be on top of patch management.

GP: Yeah, because that creates work, right? You’re creating more work for yourself by finding those vulnerabilities.

NG: For sure, for sure. And you know, ironically, right, when you don't focus on it, the pile gets a lot bigger, and it’s really hard to dig out of that. And then you’re like, “Well, which level 10 vulnerability do I want to tackle today?”

So that was part of my perspective: I needed to have total visibility because I didn’t know what I was looking at. I couldn't really see much. I couldn't even reconstruct the attack itself forensically because they were relying on the generosity and kindness of Microsoft and their A1 licenses. I was most concerned about knowing whether or not [LockBit] was still in our network, knowing whether or not we had vulnerabilities that needed to be closed, and then figuring out how to draw out the negotiation long enough to where I had that period of time where they weren’t going to hit me again. Unfortunately, I was working with an incident response vendor that wasn’t working for me. They were working for the insurance company. So I wasn't getting the answers I needed, and I wasn't getting the visibility. I was subject to the tools that they brought to the table and what they chose to be preferential with. And so I had to take matters into my own hands.

That’s where I got my own network involved. And I was, you know, blessed to work at some awesome companies and know a lot of people who were happy to come and help a college in a tough spot. And so I was grateful that, you know, we could descend on the college and put our expertise to work utilizing a couple of select tools that were super valuable because we needed to have the visibility. Right?

Remediation strategy: rolling credentials and securing the network 

GP: When you have this long list of vulnerabilities, as people often report, do you go through and try to pinpoint those and patch them one at a time, or do you use less of a scalpel and more of a sword to tear the server down and then just put in a new one? How did you approach the pile of work to make it manageable?

NG: Well, you know, in most incident response playbooks, when you deal with ransomware, the first thing you do is you take everything offline, right? So at least we had the benefit of the fact that we were already offline. It’s not like I’m going to tick anybody off by bringing in a tool and doing something, right? I had that benefit. We were trying to get things up and running.

But I start with a risk-based approach. What’s the most important thing that I have to protect, and what’s the most likely way to get at that? So we started thinking about: how does somebody get in from the outside? So you look at the firewall, you look at the VPNs.

You know, I assumed that every credential was compromised, so we just flat-out rolled all of those. You know, it was like Oprah, “You get a new password! And you get a new password!” 

Building a sustainable security program 

GP: Alright. Let’s shift the timeline a bit. Once you were out of the crisis, how do you go about building a sustainable program? The technology, people, and process part of it, but then also, how did this experience factor into your approach?

NG: Well, the thing that I valued the most in the midst of a crisis, which was visibility, is also the thing that I look for to keep me from getting into another crisis. Once I established the tools that could allow me to see outside, inside, and then to see our perimeter, I had a program that I could build around. I could respond to what those systems were telling us on a day-to-day basis. I had to build something scalable and something sustainable with solutions that would support me. I also relied on the expertise of some of my partners, because I wasn't going to be able to see everything myself.

I also needed somebody who could keep me informed and alert. You know, everybody thinks about, “Okay, have an endpoint detection response system, have it managed, use an MDR.” Right? All that stuff is good. It’s unfortunately only going to give you a part of the perspective of visibility. And if I solely relied on outsourced management to tell me what was going on in my network, I was not going to have a full perspective because they’re always so limited, those vendors are so limited in what they’re willing to do and what they’re willing to do to support you. I really needed to have that ownership of my own program and be able to use tools that I knew on a daily basis were going to give me the information I needed so that I could take action that day.

Measuring cybersecurity ROI: speaking CFO with data

GP: At some point, you essentially need to be able to make the case to other people, whoever funds you, whether it’s the board or whoever it is within your organization: “Here is why we need Tool X” or “We need personnel for Capability X.” How do you approach describing the value of security when it’s not a crisis, to be able to get that support and that investment?

NG: Yeah, of course. I mean, every dollar matters, right? It doesn’t matter whether you’re Tesla or whether you’re William Jewell. I had to use tools that help me to tell the story so that I can explain it to the people above me who control the budget. The CFO is not going to be technical. Where can they derive value in ways that they can understand? 

GP: So you weren’t giving them the list of CVEs? Were you giving them something else?

NG: I tried that! It didn’t work. They weren’t willing to come in and patch things with me, so I stopped sending them those daily. But to demonstrate ROI, particularly if you’ve not been attacked, is really difficult. How do you demonstrate the ROI of all the money you invest to not be attacked? Is it because nobody attacked you or because you prevented the attacks? Right? It’s really hard to prove that.

So what I looked for were other ways that I could demonstrate a baseline of “Where were we at the point that we were attacked?” and I used that as my baseline. I was able to bring in tools that could quantify and give me data so that whenever that ransomware issue occurred, I knew this was the worst that our security was at any given time. The tools I brought in would give me the ability to show improvement in certain ways, where we would build more protections and reduce risk. But to quantify that against where we were when the ransomware attack happened was a great way for me to show, “Hey, we’ve got marked improvement in these areas, and oh by the way, we haven’t been attacked.”

GP: Right. That makes sense. And that sort of brings us to the end of the story, which was being able to recover, putting a program in place, and being able to measure where you were and your improvement. Therefore, with any further investment, you could point and say, “Hey, we have quantifiable improvement to validate that this thing I said was going to improve us actually did.” Literally return on investment.

NG: Yeah, absolutely. And now, year-over-year, and even quarterly, I can put together a summary to say, “Hey, look, this is where we were in January, this is where we are now in April.” I have tools that allow me to demonstrate exactly where we are on a graph. It’s numeric. They understand that, especially a CFO. Show them numbers, and they’re in their happy place. And that’s how we run the program now: by using third-party independent validation to tell us that we have made certain improvements. And also, it’s nice to say we’ve had zero attacks.

GP: Yeah, that is nice!

From soft target to resilient enterprise

Nick Gicinto and William Jewell’s journey from a frantic move-in weekend in 2023 to a robust, sustainable cybersecurity program in 2026 underscores a critical truth for the modern CISO: resilience and visibility are tethered to one another in multiple ways. To be truly resilient, you need to have the visibility to see the path forward, for you and your program. You also need the visibility to see what vulnerabilities you’re exposed to and what you need to do to patch them. 

As Nick demonstrated, the transformation from a soft target to a resilient enterprise requires three distinct shifts:  

• Ownership over outsourcing: Relying solely on insurance-mandated vendors or free licenses creates blind spots that attackers thrive in.
• Radical visibility: Internal and external threat scanning are critical intelligence feeds that allow you to spot threats quickly and respond to attacks in minutes, rather than days. 
• Speaking the board’s language: Extensive lists of CVEs don’t resonate with CFOs and other executives who control the budget. Speak their language and use quantifiable risk metrics and third-party validation to demonstrate ROI in a way they can understand. 

Whether you’re a small, liberal arts college like William Jewell or a global enterprise, the goal is the same: improve your security posture and gain the visibility needed to track where you are and what you need to do to get where you want to be.

This article originally appeared in the May 2026 issue of The UpGuardian, a monthly newsletter dedicated to cybersecurity storytelling. If you like this story, subscribe to receive future issues of the newsletter directly in your inbox.