Nevada Government Ransomware Attack Disrupts 60 State Agencies

The Nevada government ransomware attack represents one of the most complex and transparently documented public-sector cyber incidents in U.S. history. A detailed after-action report released by the Governor’s Technology Office (GTO) outlines how hackers breached the state’s systems, deployed ransomware, and disrupted 60 state agencies, affecting everything from public websites to payroll processing. The attack demonstrated how a single malicious download can cascade into a full-scale digital crisis. It also showed how preparation, coordination, and persistence can restore an entire state government without paying a ransom.

The 2025 statewide cyber incident revealed that the initial compromise began three months before the ransomware deployment, following a sophisticated social engineering and SEO poisoning campaign. Attackers tricked a state employee into downloading a trojanized version of a legitimate system administration tool, which embedded a backdoor into the network. Over the course of several weeks, the attackers escalated privileges, moved laterally across critical systems, and gained access to administrator accounts. The ransomware was deployed in late August 2025, bringing down key systems and disrupting services across Nevada.

Background of the Nevada Government Ransomware Attack

The GTO report begins with a statement from State Chief Information Officer Timothy D. Galluzi, describing how the breach unfolded and how his team worked to restore operations. According to the report, the ransomware attack was initiated through a poisoned advertisement that appeared in search results when an employee attempted to download a network utility. The ad redirected the user to a fraudulent website impersonating the legitimate software vendor. Once the tool was installed, it deployed malware that bypassed endpoint defenses and connected to the attacker’s command infrastructure each time the computer booted.

This persistence allowed the attackers to quietly monitor the network for months. Despite endpoint protection systems flagging and quarantining the tool in late June, remnants of the infection remained active. The attackers used this persistence to install commercial remote monitoring and management software on multiple systems, allowing them to record screens, log keystrokes, and observe privileged activity in real time. They used this access to collect credentials from 26 privileged accounts, including administrative and service accounts with high-level access to servers and storage systems.

Timeline of the Attack

Investigators determined that the initial compromise occurred on May 14, 2025. The infected utility was downloaded twice that day from the attacker’s fake website. On June 26, Symantec Endpoint Protection detected and removed the visible malware component, but the persistence mechanism allowed continued access. On August 5 and August 15, the attackers installed commercial monitoring software on two separate user systems, expanding their visibility into the network. These installations provided the attackers with both standard and privileged credentials.

Between August 14 and August 24, the attackers used encrypted tunnels to bypass network defenses and established Remote Desktop Protocol (RDP) sessions between critical systems. They accessed the state’s password vault server and extracted administrative credentials, which were then used to spread ransomware payloads across the environment. During this phase, they also cleared Windows event logs to hide traces of their movements. On August 24 at 01:30 AM Pacific Time, the attackers deployed ransomware across virtualization servers hosting hundreds of virtual machines, effectively crippling agency operations statewide.

Within twenty minutes, the GTO detected the outages. At 01:50 AM, the statewide response effort began. The GTO immediately isolated affected systems, escalated the incident to the Governor’s Office, and engaged trusted vendors to assist with recovery. By early morning, the state confirmed that encrypted files and ransom notes were present. The Governor’s Office publicly reaffirmed that Nevada would not pay ransom under any circumstances, instead relying on its cyber insurance and vendor network to rebuild from scratch.

Investigation and Forensic Analysis

Mandiant, a leading cybersecurity firm under Google Cloud, was formally engaged on August 26, 2025, following the incident. Their analysis confirmed that the attackers’ entry vector was a malware-laced administrative tool distributed through a search engine advertisement. The earliest evidence of compromise dated back to May 14, more than three months before the ransomware deployment. Mandiant concluded that the threat actor used encrypted network tunnels to maintain persistent access and avoid detection, along with commercial monitoring software to track administrative sessions.

During their investigation, Mandiant discovered that 26,408 files were accessed, and 3,241 files were exposed. The attackers compressed the data into a six-part ZIP archive, possibly for exfiltration, but investigators found no proof that the data was transferred or published. Only one file contained personally identifiable information (PII), which pertained to a former state employee. That individual was notified in accordance with Nevada Revised Statutes 603A.220. The report also stated that no evidence of ongoing attacker presence was found after containment began.

Mandiant’s work provided valuable intelligence about the threat actor’s tactics, techniques, and procedures. Their report included evidence of encrypted tunnels, credential dumping tools, and system manipulation that aligned with professional ransomware operators. They also identified traces of remote-access programs such as AnyDesk and RDP sessions used for lateral movement between critical systems. Mandiant’s forensic validation gave the GTO the confidence to proceed with full-scale recovery without fear of reinfection.

Response Detail and Recovery Effort

The Nevada government ransomware attack triggered the largest coordinated IT recovery operation in state history. The Governor’s Technology Office prioritized containment first, focusing on isolating affected networks and preventing further spread. Once isolation was complete, attention turned to recovery. After confirming that backups had been deleted, the state engaged Dell Recovery Support to lead restoration efforts. Dell’s team worked alongside internal IT personnel to rebuild systems and recover lost data using hardware-level recovery techniques and previously stored redundancy points.

Over 28 days, Nevada’s IT staff and vendor partners restored 90 percent of all encrypted data. Recovery efforts were divided into phases, starting with essential services such as payroll, law enforcement systems, and citizen-facing platforms. Each recovered system was validated by Mandiant and monitored for abnormal activity before being reconnected. Microsoft’s DART (Detection and Response Team) handled the restoration of Office 365 services, reimplementation of security certificates, and reconfiguration of accounts. Aeris provided engineering support for virtual machine restoration, while BakerHostetler advised on legal compliance and privacy communication.

The GTO coordinated recovery through daily status meetings and consistent progress reports. Every phase of restoration was tracked, documented, and validated by internal and external teams. This disciplined structure allowed the state to resume near-complete functionality within a month, avoiding the prolonged downtime that often accompanies large ransomware events. According to the report, more than 4,200 overtime hours were logged by IT employees during the 28-day recovery, totaling approximately $259,000 in additional wages. This figure was far less than the projected $478,000 in contractor costs that would have been incurred had the state outsourced recovery entirely.

Leadership, Communication, and Coordination

The success of the recovery effort was attributed to years of proactive preparation and leadership coordination. Nevada had spent half a decade conducting annual cybersecurity simulations designed to test cross-agency communication during crises. These exercises created an environment where the Governor’s Office, the Attorney General, the CIO, and agency directors could act decisively during the real incident. Once the attack was detected, the state’s decision-making hierarchy activated immediately. Incident leaders issued containment orders, technical teams began forensic imaging, and external partners were contacted within hours.

The state adopted a communication strategy guided by one principle: “execute, then communicate.” This meant that containment and remediation always took priority over public announcements. Communications were managed by pre-assigned spokespersons to ensure clarity and consistency. The GTO provided technical updates, the Governor’s Office handled public messaging, and agency PIOs (Public Information Officers) addressed service-specific issues. Regular briefings were scheduled to keep both internal and external stakeholders informed without revealing sensitive operational details that could benefit the attackers.

The report also outlined Nevada’s approach to balancing transparency with security. All public updates were centralized through the OEM Recovery Hub, a website that served as the single source of truth for citizens and media outlets. This eliminated misinformation and reduced the risk of duplicated or inaccurate communications. When necessary, agencies used physical postings in compliance with state law to maintain accessibility during website outages. This consistent flow of verified information reinforced public trust while maintaining the integrity of the ongoing investigation.

Financial Impact of the Nevada Government Ransomware Attack

The Nevada government ransomware attack caused significant disruption but relatively moderate financial losses compared to similar incidents in other states. The total cost of recovery reached roughly $1.6 million, which included vendor contracts, overtime wages, and operational support. The largest single expense was Microsoft’s DART team at $354,481, followed by Mandiant’s forensic services at $248,750. Aeris, Dell, and SHI/Palo Alto also contributed to recovery at costs between $66,000 and $240,000 each. Legal and privacy guidance from BakerHostetler totaled $95,000. In total, the operation involved 50 state employees, six major vendors, and eight additional support contractors.

Compared to average ransom demands for attacks of similar scale, which often exceed $10 million, Nevada’s decision not to negotiate with the attackers resulted in substantial savings. The proactive decision to invest in cyber insurance years earlier proved invaluable, enabling rapid vendor engagement without the bureaucratic delays that typically hinder public-sector response efforts.

Reforms and Future Cybersecurity Planning

Following the incident, the Governor’s Technology Office announced several long-term reforms to strengthen Nevada’s cybersecurity posture. The state plans to transition from its current decentralized security model to a hybrid framework featuring a centralized Security Operations Center (SOC) responsible for unified monitoring of all critical infrastructure. In addition, a statewide Endpoint Detection and Response (EDR) platform will be implemented to provide real-time visibility into system activity and enable faster detection of malicious behavior.

Additional measures include improved vendor risk assessments, enhanced patch management policies, and continuous security audits. The report emphasized that agency-level application ownership needs more oversight, as several departments lacked clear accountability for critical systems. The GTO intends to standardize ownership structures, enforce stronger password rotation, and enhance backup strategies with immutable storage systems to prevent future deletion attempts.

Employee training and cultural awareness are also central to Nevada’s cybersecurity reform plan. The state is expanding mandatory cybersecurity education across all departments, ensuring that employees recognize phishing tactics, social engineering attempts, and malicious advertisements. These initiatives aim to eliminate the type of human error that allowed the initial compromise to occur.

Transparency, Public Trust, and Broader Impact

Nevada’s decision to release its complete after-action report has been widely praised by cybersecurity professionals and government analysts. The report provides a rare, unfiltered look into how a ransomware attack unfolds from beginning to end and how a government can recover without capitulating to criminals. Transparency is often avoided in such cases for fear of public backlash, but Nevada demonstrated that openness can enhance public confidence when combined with accountability and results.

The after-action documentation also serves as a valuable educational resource for other states. By sharing forensic timelines, vendor coordination strategies, and lessons learned, Nevada has created a blueprint for responding to future public-sector cyber incidents. Experts have noted that the state’s success hinged on three factors: early investment in cybersecurity infrastructure, comprehensive training across leadership tiers, and strong interagency collaboration during the crisis.

Key Lessons from the Nevada Government Ransomware Attack

The Nevada government ransomware attack revealed the critical need for vigilance in everyday administrative practices. A single employee download initiated a chain of events that impacted thousands of workers and millions of residents. However, the same incident also demonstrated the power of preparation, coordination, and resilience. Nevada’s refusal to pay ransom, combined with its methodical recovery process, prevented long-term data loss and financial extortion. The GTO’s use of strong vendor partnerships and a well-documented incident response playbook enabled a recovery timeline of less than a month, far shorter than average for incidents of similar size.

In the aftermath, Nevada continues to invest in stronger cybersecurity infrastructure and employee education. The lessons learned from this event have already influenced state policy, funding allocations, and legislative oversight of digital infrastructure. As the state continues to monitor for any resurgence of malicious activity, its 2025 experience stands as both a warning and a roadmap for governments worldwide.

For continued coverage on government ransomware incidents, cybersecurity investigations, and threat analysis, visit Botcrawl’s cybersecurity section.