The State of Nevada has released a remarkably transparent after-action report detailing a ransomware attack that crippled over 60 government agencies in August. This report stands out as one of the most comprehensive technical disclosures from a U.S. state, offering crucial insights into modern cyber threats and effective incident response.

The Attack Vector and Execution

The breach began on May 14 when a state employee, searching for an administration tool, was lured by a malicious advertisement to a fraudulent website. This site delivered a trojanized utility, deploying a persistent backdoor. Despite Symantec quarantining the initial malware in June, the persistence mechanism allowed attackers to maintain access. By August, threat actors installed remote-monitoring software, established encrypted network tunnels, and moved laterally to critical servers, including the password vault. They exfiltrated credentials for 26 accounts, wiped event logs, and accessed 26,408 files, though no evidence of data exfiltration was found. On August 24, attackers deleted backup volumes and deployed ransomware across all state virtual machines, leading to a widespread outage.

Nevada’s Robust Recovery Strategy

Upon detection, Nevada initiated a 28-day recovery effort, refusing to pay any ransom. The state leveraged its internal IT staff, incurring $259,000 in overtime wages across 4,212 hours, saving an estimated $478,000 compared to contractor rates. External vendor support added over $1.3 million to recovery costs. Within this period, 90% of critical data was restored, ensuring essential services like payroll and public safety communications remained operational. Post-incident, Nevada significantly bolstered its cybersecurity posture by removing unnecessary accounts, resetting passwords, updating security certificates, and reviewing system permissions. The state acknowledges the ongoing need for investment in monitoring and response capabilities to counter evolving threat actor tactics.