A new after-action report outlines how hackers breached Nevada state systems and how the state recovered without paying ransom.
The State of Nevada has published a detailed after-action report explaining how a ransomware attack in August disrupted over 60 government agencies. The document outlines the full attack timeline, including the initial compromise, threat actor movements, data access, and recovery efforts. Despite the scale of the incident, the state restored 90% of the necessary data within 28 days without paying ransom.
The breach began on May 14 when a state employee unknowingly downloaded a trojanized version of a system administration tool from a malicious ad. The fake tool installed a persistent backdoor that remained functional even after initial malware deletion. Attackers used this access to install remote monitoring software, capture credentials, and move laterally through the network.
Between August 14 and 16, attackers established RDP sessions across multiple systems, accessed a password vault, retrieved account credentials, and deleted event logs to cover their tracks. On August 24, they deleted backup volumes and modified virtualization server settings before deploying ransomware to all virtual machine hosts.
The attack went undetected until 20 minutes later, when the Governor’s Technology Office noticed a statewide outage. That moment triggered a 28-day recovery involving 50 state employees and several vendors.
The report credits the swift containment and recovery to coordinated efforts, existing playbooks, and a refusal to pay ransom. Nevada incurred $259,000 in overtime wages and roughly $1.3 million in vendor support, including services from Microsoft DART, Mandiant, and Dell. Vendors helped with infrastructure rebuilding, forensics, legal counsel, and data recovery.
Power restoration to critical services like payroll and public safety systems was prioritized. While no ransomware group has claimed responsibility, the incident is being used to strengthen Nevada’s cybersecurity posture. The state has since taken steps to limit privileged access, reset credentials, and remove legacy security configurations.
According to BleepingComputer, “no major gangs [were] claiming the intrusion on extortion sites,” suggesting the Nevada ransomware attack was not linked to any known criminal group. The outlet described the incident as a demonstration of “Nevada’s cyber-resilience,” proving the state’s “decisive and swift playbook action” and its commendable transparency in publicly detailing the breach and recovery process. Despite the financial and operational impact, more than $1.5 million in overtime and vendor costs, the state has since improved its cybersecurity posture based on recommendations from trusted partners. Officials acknowledged that “there is plenty of room for improvement,” indicating the need for continued investment in monitoring and response capabilities as threat actors change their tactics and techniques.
Malvertising refers to malicious advertisements that appear in search engine results or websites. In this case, a state employee clicked a fake ad for a legitimate tool, leading to the download of malware.
Although Symantec Endpoint Protection identified and deleted the malware file, the hidden persistence mechanism allowed the attackers to maintain access to the network.
No known ransomware group has publicly claimed responsibility for the breach, and the report did not identify the actor behind the attack.
Post-incident actions included limiting privileged access, removing outdated accounts and certificates, resetting passwords, and reviewing permission rules across systems.
Nevada’s full disclosure, refusal to pay ransom, and reliance on in-house recovery rather than defaulting to external contractors sets a precedent for transparent and strategic public-sector incident response.