Nevada Government Hit by Devastating Ransomware Attack
▼ Summary
– Nevada’s systems were initially breached in May when an employee downloaded a trojanized system administration tool from a fake website via a malicious search ad.
– The attackers maintained persistent access for months, moving laterally through the network to steal credentials and delete backups before deploying ransomware on August 24.
– The state restored 90% of impacted data within 28 days without paying a ransom, relying on internal IT staff who worked over 4,000 overtime hours at a cost of $259,000.
– External vendor support for incident response and recovery totaled approximately $1.3 million, with services including forensics, legal counsel, and infrastructure rebuilding.
– Nevada’s transparent after-action report sets a cybersecurity example, detailing the attack’s progression and the state’s improved defenses, while acknowledging ongoing vulnerabilities.
A recent cybersecurity incident involving the State of Nevada offers a revealing look into how a major ransomware attack unfolds and how a government body can successfully recover without giving in to extortion demands. The state has released a remarkably transparent after-action report detailing the entire event, from the initial breach to the restoration of services, providing a valuable case study for other organizations facing similar threats.
The attack, which ultimately disrupted operations across more than 60 state agencies, began months before it was discovered. In mid-May, a state employee searching for a system administration tool encountered a malicious advertisement through a search engine. This ad directed the employee to a counterfeit website that distributed a booby-trapped version of the software. Upon installation, this malware secretly installed a backdoor, granting hackers a persistent foothold within the government’s internal network.
This method of attack, where cybercriminals use poisoned search ads to impersonate popular IT tools, has become increasingly common. By targeting system administrators, attackers aim to gain the elevated network privileges these users often possess. Even after security software identified and removed the malicious file in late June, the attackers’ persistence mechanism remained active, allowing them to maintain access.
Their activities escalated in early August when they installed commercial remote-monitoring software on a state system, enabling them to record screens and log keystrokes. Shortly after, they deployed a custom, encrypted tunneling tool to bypass security controls and establish Remote Desktop Protocol sessions across numerous systems. This access allowed them to move laterally through the network, reaching critical servers including a password vault. From this server, they extracted credentials for 26 different accounts and then wiped event logs to cover their tracks.
Investigators confirmed the attackers accessed over 26,000 files and prepared a compressed archive containing sensitive information, though there is no evidence this data was ever exfiltrated or published. The attack culminated on August 24 when the assailants accessed the backup server and deleted all backup volumes to cripple recovery efforts. They then logged into the virtualization management server, modified security settings, and at 08:30 UTC, deployed ransomware across all servers hosting the state’s virtual machines. The statewide IT outage was detected about twenty minutes later, triggering a massive 28-day recovery operation.
Crucially, Nevada refused to pay the ransom. Instead, the state mobilized its internal IT workforce, authorizing significant overtime to rebuild systems. A total of 50 employees worked 4,212 overtime hours, costing approximately $259,000 in wages. This decisive internal response ensured that critical functions like payroll and public safety communications remained operational and allowed citizen-facing systems to be restored quickly. The state estimates this approach saved nearly $478,000 compared to standard contractor rates.
External support during the incident response came with a price tag exceeding $1.3 million. Major vendors included Microsoft for support and infrastructure rebuild, Mandiant for forensic investigation, and Aeris for recovery engineering, among others. The specific ransomware group responsible has not been publicly identified, as no major gangs claimed the attack on their extortion sites.
The incident ultimately highlighted Nevada’s cyber-resilience. The state’s technology office prioritized securing the most sensitive systems first and restricted access to essential personnel only. In the aftermath, the state has implemented numerous security enhancements, including the removal of obsolete accounts, widespread password resets, and a thorough review of system permissions. While the recovery was a significant undertaking, the state acknowledges that continued investment in cybersecurity monitoring and response capabilities is essential as cyber threats continue to advance.
(Source: Bleeping Computer)
