Proactive Protection: Nebraska Warehouse Stops Ransomware Cold

You may have noticed that our new DCA member company Nebraska Warehouse CEO Tamara Draeger was not at the IWLA Convention as anticipated.  Word quickly spread that she was remaining in Omaha with her team, addressing a ransomware attack.  But the story was not at all what one might expect.  Read on! 

 

On March 25 at approximately 7:50 a.m., our systems began showing signs that something wasn’t right. Within minutes, several areas of our network were no longer functioning properly, and a handful of endpoint user machines had been disconnected.

By 8:15 a.m., our internal IT team was actively engaged with our local IT partner, reviewing system-generated alerts and beginning initial troubleshooting. It quickly became clear that additional expertise was needed, and we brought in our supplemental IT firm to provide another layer of analysis.

At 12:45 p.m., we received confirmation: we were dealing with a ransomware incident. From that moment, the response accelerated. We initiated a cyber insurance claim immediately, and by 4:00 p.m. that same day, I was on a call with our claims adjuster, internal IT team, local IT partner, and the forensic IT specialists engaged by our insurance carrier. What followed was a coordinated, multi-team effort focused on containment, investigation, and recovery.

Before diving deeper into the incident itself, it’s important to provide some context around our cybersecurity posture.

Several years ago, we made the decision to invest in layered IT security by partnering with a local firm to help monitor our network and deploy advanced security tools. Our environment includes multiple leading cybersecurity platforms for functions such as, antivirus and Endpoint Detection and Response (EDR) solutions.

In hindsight, this investment made all the difference.

While our systems did not prevent the initial point of entry, they performed exactly as designed once suspicious activity began. The threat actor was able to access our environment, but when they initiated file encryption, our systems detected the behavior and automatically quarantined the affected servers. This effectively stopped the attack in its tracks.

Most importantly, the attacker was unable to extract data. With no data exfiltration and no leverage, there was nothing to ransom.

In the world of ransomware, this is as close to a “best case scenario” as one can hope for.

That said, “best case” does not mean easy.

The incident required a significant investment of time, energy, and resources from our internal team, as well as countless hours from both IT partners and forensic specialists. Even two weeks after the event, one server remained in the process of being fully restored and brought back online.

 

From a technical standpoint, the forensic investigation determined that the threat actor gained access to a server and, at approximately 7:48 a.m., began moving laterally across the network.

As encryption activity started, our security systems flagged the behavior and quarantined two servers. At the same time, several offsite endpoint devices—actively connected via remote access—were also quarantined as a precaution.

As those servers became inaccessible, our end users quickly felt the impact, prompting internal escalation. In parallel, our IT teams aligned on next steps and engaged our insurance carrier, which rapidly assembled both forensic and operational response teams.

The forensic team focused on understanding the scope and nature of the breach—how access was gained, what actions were taken, and whether any data had been compromised.

Meanwhile, the operational team worked to identify clean backups, restore affected systems, and minimize business disruption.

Over the following days, there were extensive coordination calls across all parties to assess findings, prioritize actions, and execute recovery efforts.

In total, four servers were impacted by file encryption. Within four days, three of those servers had been successfully restored and returned to the network. Two servers were rebuilt using verified clean backups, and our team manually recreated approximately three days of accounting activity.

This experience reinforced several critical lessons:

• Invest in layered cybersecurity and expert support. Having trusted IT partners and advanced monitoring tools in place is essential—not just for prevention, but for rapid detection and response.
• Validate your backups—regularly. A backup strategy is only as good as its ability to perform in a crisis. Routine audits and testing are non-negotiable.
• Leverage cyber insurance as a strategic resource. The speed and expertise provided by our carrier’s response team were invaluable in both investigation and recovery.
• Implement Multi-Factor Authentication (MFA). MFA remains one of the most effective ways to reduce the risk of unauthorized access and should be a standard across all environments.

While no organization wants to experience a ransomware event, this incident underscored the importance of preparation, partnership, and proactive investment in cybersecurity. In our case, those measures turned what could have been a catastrophic event into a manageable—albeit challenging—disruption.