Nevada ransomware attack offers lessons in statewide cyber resilience

Strategic planning and incident response turned a catastrophic attack into a model for recovery

Key Takeaways

• Preparedness pays off: Nevada’s prior investments in cyber resilience enabled rapid mobilization and recovery—even after attackers deleted backup volumes.
• Sophisticated attack tactics: Threat actors remained undetected for months and accessed thousands of sensitive files.
• Coordinated response and recovery: Well-rehearsed playbooks, vendor relationships, and federal partnerships allowed Nevada to restore business-critical services within a week and achieve full recovery in 28 days.

In August 2025, Nevada state government systems suddenly went offline. What initially appeared to be a routine outage turned out to be a full-scale ransomware attack affecting more than 60 state agencies—including Department of Motor Vechiles (DMV) systems, social services, law enforcement, state payroll, and more. Some systems remained offline for 28 days.

The attack and its statewide impact are detailed in an after-action report (AAR) published near the end of October. The AAR was authored by Info-Tech Research Group, with contributions from Nevada’s executive branch and an opening statement from the state's Chief Information Officer (CIO). The report provides an overview of the attack and insights into the state’s incident response (IR) plan. Nevada’s prior investments in resilience and operational readiness play a central role in this story. You can download the PDF here.

Before the Attack

Nevada entered this crisis better prepared than most states, thanks to years of planning and practicing incident response. According to the report:

• Nevada funded IR planning, cyber insurance, and technical hardening measures that enabled rapid recovery. Prior investments in backup strategies, staff training, and recovery preparation helped the state mobilize quickly—even after attackers deleted backup volumes.
• Well-developed and rehearsed playbooks, combined with annual multi-agency simulations, ensured all state agencies understood their roles during a real emergency. These exercises also established a unified governance structure for decision-making and communication.
• A cyber insurance program and pre-negotiated relationships with Mandiant and other vendors facilitated rapid engagement of technical and forensic specialists within hours. Pre-existing ties with DHS and the FBI ensured federal assistance was integrated smoothly.

The AAR credits these preparations for the controlled and disciplined response.

The Attack

The report does not name the threat actors or malware strains—public reports rarely include details that could expose defenses or aid other attackers. Such information is shared internally and through closed groups like Information Sharing and Analysis Centers (ISACs) to improve defenses. As of October 28, 2025, Nevada’s AAR remains the most complete public account of this statewide cyber incident.

Initial Access

On May 14, 2025, a state employee mistakenly downloaded and executed a malware-laced system administration tool from a spoofed website. The attacker used SEO poisoning and Google Ads to make the malicious link appear legitimate. While the report does not identify the malware, the tactics resemble those used in Nitrogen loader attacks. Although attribution is uncertain, the similarities are notable.

The report does not confirm whether the employee had administrative privileges, leaving open scenarios such as local admin rights or use of a system where admin tools were commonly installed.

Persistence and Communications

The malware installed on May 14 created a backdoor that remained active even after Symantec detected and removed the source file on June 26. The backdoor likely made configuration changes and left artifacts undetected by endpoint protection. It connected to attacker infrastructure each time a user signed in, allowing threat actors to operate within the user’s context and minimize alerts from system-wide checks or network anomalies.

Privilege Escalation and Lateral Movement

With a foothold on a workstation, attackers installed a remote monitoring and management (RMM) tool, enabling them to log keystrokes, view screens and ultimately capture 26 sets of credentials. The RMM tool became the primary method for gathering information, while the backdoor ensured ongoing access. With that in mind, here's the likely path from the workstation/user context to network and server access:

• Started with user-level access, maintaining backdoor communication.
• Installed a commercial RMM tool manually with the user's credentials.
• Used RMM to capture standard and privileged credentials, enabling administrative logins.
• Leveraged administrative privileges and RDP to navigate the network through encrypted tunnels.

Data Exfiltration

Attackers aggregated tens of thousands of sensitive files into a single ZIP archive, split into six parts for easier transfer. Investigators found no confirmation of successful extraction or evidence on leak sites. However, an August 27 statement from the Governor’s Technology Office suggested some data may have been moved outside the network. Both statements can be true, as standards for “evidence” and “confirmation” vary.

The AAR reports that 26,408 files were accessed and 3,241 files were potentially exposed. One file contained personal information of a former state employee, who has been notified. Investigators continue monitoring for signs of exfiltration.

Encryption

The ransomware family and encryption binary remain unidentified. Before deployment, attackers deleted all backup volumes and used root-level access on the virtualization management server to encrypt multiple virtual machines simultaneously. 

Network disruption began around 1:52 a.m. PT, affecting DMV, public safety, health services, courts, and other statewide portals. A ransom note was left on affected systems.

Incident Response

The Governor’s Technology Office escalated the issue to CIO Timothy D. Galluzi and other officials. The response team:

• Isolated affected virtual machines
• Engaged legal counsel and Mandiant via cyber-insurance channels
• Initiated recovery playbooks the same day

Full statewide recovery took 28 days, though business-critical services were restored within the first week. The state recovered 90% of the affected data and no ransom was paid.

Post-incident improvements

Following the attack, Nevada strengthened its cybersecurity posture with several improvements:

• Expanded endpoint detection and response (EDR): The state upgraded its endpoint protection to include advanced behavioral analytics and continuous monitoring, reducing the likelihood of undetected persistence.
• Zero trust architecture initiatives: Nevada accelerated its adoption of Zero Trust principles, enforcing stricter identity verification, least-privilege access, and segmentation across critical systems.
• Enhanced backup strategy: The state introduced immutable backups and offsite storage to prevent attackers from deleting recovery volumes, ensuring faster restoration in future incidents.
• Improved vendor and incident response contracts: Pre-negotiated agreements were revised to guarantee even faster engagement of forensic and recovery specialists, with clearer service level agreements (SLAs) for emergency response.
• Comprehensive staff training: Cybersecurity awareness programs were expanded to include phishing simulations and secure tool usage, reducing the risk of initial compromise.
• Continual threat hunting and red team exercises: Nevada established a dedicated threat-hunting team and scheduled regular red-team assessments to identify vulnerabilities proactively.
• Centralized security operations: The state invested in a Security Operations Center (SOC) with 24/7 monitoring and integrated threat intelligence feeds for real-time detection and response.

Looking back

Reaction to the state’s recovery performance is largely favorable. The AAR notes that the full recovery time of 28 days is “below the national average” and “well below typical public-sector timelines for public-sector incidents of this scope.” Comparitech notes that 27.8 days is the average recovery time for government entities, but Nevada did restore critical services within one week, and was able to meet all payroll obligations on-time. The state also worked through its recovery process without paying a ransom to decrypt the files. Some of Nevada’s recovery times are below the national average, but the 28-day full recovery time seems to fall in line with similar public-sector incidents.

The 102-day dwell time may be below the national average. According to Gregory Moody of University of Nevada, Las Vegas (UNLV), “it typically takes between seven and eight months” to discover an intrusion like this. The 2024 IBM Cost of a Data Breach Report tells us the global Mean Time to Identify (MTTI) for a data breach was 194 days, or about 6.5 months.

Because Nevada did not pay a ransom, it likely saved over $2 million for that line item. Nevada's direct recovery spend of roughly $1.5 million for vendor costs and staff overtime may be at or below the national average. Various reports put the average costs around $1.5-1.8 million.

Taken together, Nevada’s performance demonstrates the state was well prepared and resilient under pressure. While neither the dwell time nor the full recovery window were extraordinary outliers, Nevada’s ability to restore critical services within days, avoid paying a ransom, and keep overall recovery costs within national norms reflects a well-structured cybersecurity program. This incident should serve as a reminder that preparation can dramatically influence how quickly and effectively an organization can recover from a sophisticated, widespread attack.