Full Report
The State of Nevada has completed its recovery from a ransomware attack it suffered on August 24, 2025, which impacted 60 state agencies, disrupting critical services related to health and public safety. [...]
Analysis Summary
# Incident Report: State of Nevada Ransomware Attack (August 2025)
## Executive Summary
In May 2025, a state employee inadvertently installed malware via a trojanized system administration tool downloaded from a fraudulent search advertisement. This resulted in persistent backdoor access, culminating in a ransomware deployment on August 24, 2025, which crippled services across 60 state agencies. Following a 28-day recovery effort without paying the ransom, the State of Nevada restored 90% of impacted data and services, prompting significant security uplift.
## Incident Details
- **Discovery Date:** August 24, 2025 (Detection of ransomware outage)
- **Incident Date (Initial Access):** May 14, 2025
- **Affected Organization:** State of Nevada (60 State Agencies)
- **Sector:** Government/Public Administration
- **Geography:** Nevada, USA
## Timeline of Events
### Initial Access
- **Date/Time:** May 14, 2025
- **Vector:** Search Engine Malvertising leading to a fraudulent software download.
- **Details:** A state employee searched for a system administration tool and accessed an impersonating, malicious advertisement. Downloading the trojanized system utility installed a backdoor leading to persistent remote access.
### Lateral Movement
- **June 26, 2025:** Security software (SEP) identified and quarantined the initial malicious tool, but persistence mechanisms survived removal.
- **August 5, 2025:** Attackers installed commercial remote-monitoring software (first instance).
- **August 15, 2025:** Second instance of remote-monitoring software installed.
- **August 14 - 16, 2025:** Attackers deployed a custom, encrypted network tunnel tool to bypass security controls and established RDP sessions across the network.
- **Post-August 16:** Actors accessed the password vault server, retrieved 26 credentials, and wiped event logs to cover tracks. Attackers accessed 26,408 files across multiple systems.
### Data Exfiltration/Impact
- **August 24, 2025 (Pre-Ransomware):** Attacker authenticated to the backup server and deleted all backup volumes. The attacker logged into the virtualization management server as root and modified security settings to allow unsigned code execution.
- **August 24, 2025 (08:30:18 UTC):** Ransomware strain deployed on all servers hosting the state’s Virtual Machines (VMs).
- **August 24, 2025 (08:50:18 UTC):** Outage detected by the Governor’s Technology Office (GTO).
### Detection & Response
- **August 24, 2025:** Outage detected, initiating a 28-day statewide recovery effort.
- **Response:** State refused to pay the ransom. Focused on securing the most sensitive systems first, resetting passwords, removing unnecessary accounts, and reviewing access permissions.
## Attack Methodology
- **Initial Access:** Social engineering via malvertising leading to the download of a trojanized system administration tool (Search Engine Poisoning).
- **Persistence:** Configured a hidden backdoor upon initial execution that automatically connected to attacker infrastructure upon user login.
- **Privilege Escalation:** *Implied* by targeting system administration tools desired by IT staff; explicitly gained root access to the virtualization management server.
- **Defense Evasion:** Used a custom, encrypted network tunnel tool to bypass security controls; wiped event logs.
- **Credential Access:** Accessed the password vault server and retrieved 26 account credentials.
- **Discovery:** Leveraged commercial remote-monitoring software (screen recording, keystroke logging) for environmental awareness.
- **Lateral Movement:** Used RDP sessions established via the custom tunnel tool to move between critical servers.
- **Collection:** Accessed and prepared a six-part .ZIP archive containing sensitive information (though no evidence of actual exfiltration was found).
- **Exfiltration:** No evidence of data exfiltration or publication was found.
- **Impact:** Deletion of all backup volumes and encryption/disruption of VM hosting servers, crippling essential services.
## Impact Assessment
- **Financial:** Recovery costs included overtime payments ($\$69,400$), Dell services ($\$66,500$), and other IR vendor support ($\sim\$240,069$). Total known costs $\sim\$375,969$ (excluding internal labor/opportunity costs).
- **Data Breach:** 26,408 files accessed; 26 credentials compromised. No evidence of published data.
- **Operational:** Disrupted critical services across more than 60 state agencies, including websites, phone systems, and online platforms, requiring a 28-day restoration period.
- **Reputational:** The incident highlighted resilience but also mandated increased transparency regarding the breach handling.
## Indicators of Compromise
*(Note: Specific IoCs like IP addresses or domains were not fully disclosed in the provided text and are therefore omitted/placeholder.)*
- **Network indicators:** Connections to attacker infrastructure via the backdoor; RDP activity established via custom encrypted tunnels.
- **File indicators:** Trojanized system administration utility; commercial remote-monitoring software; custom encrypted network tunnel tool.
- **Behavioral indicators:** Deletion of event logs; modification of security settings on the virtualization management server to permit unsigned code execution; mass deletion of backup volumes.
## Response Actions
- **Containment:** Swift action based on established playbooks; securing the most sensitive systems immediately and limiting access to essential personnel.
- **Eradication:** Not explicitly detailed, but implied through vendor engagement and system hardening.
- **Recovery:** Restored 90% of impacted data required for services within 28 days without paying the ransom. Focused on removing old accounts, resetting passwords, and reviewing system rules/permissions.
## Lessons Learned
- Threat actors are increasingly leveraging search advertisements (malvertising) to distribute malware disguised as legitimate system administration tools (e.g., WinSCP, Putty substitutes).
- Persistence mechanisms can sometimes survive initial endpoint protection quarantine attempts.
- The event underscored the critical necessity of investing in robust cybersecurity, particularly in monitoring and rapid response capabilities, as attacker TTPs continue to evolve.
## Recommendations
- Improve security awareness training specifically targeting search engine results and the risks associated with downloading administrative tools from non-verified sources.
- Enhance security monitoring and threat detection capabilities to better identify and respond to sophisticated post-exploitation activities (e.g., commercial remote-monitoring tool deployment, custom tunnels).
- Conduct regular, rigorous reviews of system permissions and access controls, especially for root/administrator accounts.
- Implement and rigorously test immutable/offsite backup strategies to negate the impact of on-site backup deletion.