Nevada’s Government Hit by Sophisticated Ransomware Attack, Inside the Full Breakdown

Nevada’s Government Hit by Sophisticated Ransomware Attack, Inside the Full Breakdown

A Transparent Look at How the Hack Happened

The State of Nevada has released a rare, fully transparent after-action report detailing how cybercriminals infiltrated more than 60 government agencies in August — crippling websites, communication systems, and online services across the state.

Despite widespread disruption, Nevada refused to pay a ransom. Within 28 days, the state’s IT teams restored 90% of all critical systems — earning praise for its resilience and transparency.

🕵️ How the Attack Started

The breach began months earlier, on May 14, when a state employee unknowingly downloaded a trojanized version of a legitimate system administration tool.

• The employee searched Google for the tool, clicked a malicious search ad, and installed a fake version laced with malware.

• Once executed, the program created a hidden backdoor that reconnected to the attackers’ infrastructure every time the employee logged in.

This tactic — using malvertising to target IT professionals — has become increasingly common, with fake versions of WinSCP, AnyDesk, KeePass, and other admin tools used to breach corporate and government systems.

💻 From Backdoor to Ransomware

Even after Symantec Endpoint Protection flagged and quarantined the malware in June, the attacker’s persistence mechanism remained active.

By early August, the hackers installed commercial remote monitoring software, giving them access to keystrokes, screen recordings, and network data.

They then used Remote Desktop Protocol (RDP) sessions and custom encrypted tunnels to move laterally — reaching privileged servers, including the password vault.

The attackers stole credentials from 26 accounts, wiped event logs, and began staging data for exfiltration. Although investigators found no evidence the data was actually removed, over 26,000 files were accessed.

Finally, on August 24 at 8:30 UTC, the attackers deleted all backup volumes, disabled recovery mechanisms, and deployed ransomware across the state’s virtualized infrastructure.

Within 20 minutes, the Governor’s Technology Office detected the mass outage and initiated emergency response procedures.

🧩 Recovery Without Paying Ransom

Instead of paying cybercriminals, Nevada’s IT staff worked around the clock.

• 50 employees logged 4,200 overtime hours, costing $259,000.

• The decision to rely on in-house recovery saved an estimated $478,000 compared to hiring external contractors.

External vendors, including Microsoft DART, Mandiant, and Dell, provided additional forensics, network rebuilding, and legal guidance — costing roughly $1.3 million in total.

Vendor

Service

Cost

Microsoft DART

Infrastructure rebuild

$354,481

Mandiant

Forensics & IR

$248,750

Aeris

Recovery support

$240,000

BakerHostetler

Legal & privacy counsel

$95,000

SHI (Palo Alto)

Network security

$69,400

Dell

Data recovery

$66,500

🔒 Strengthening Defenses

Following the attack, Nevada’s Governor’s Technology Office (GTO) took immediate steps to fortify systems:

• Removed outdated accounts and security certificates

• Reset all privileged passwords

• Restricted access to sensitive infrastructure

• Reviewed and hardened system rules and permissions

The report also highlights the need for continuous monitoring, rapid threat detection, and better staff training, as threat actors refine their techniques.

⚠️ Why It Matters

Nevada’s decision to release a full technical report sets a new standard for government transparency in cybersecurity.

The case also illustrates how a single malicious download can lead to statewide disruption — and how proper response playbooks and refusal to pay ransom can make recovery possible.