Nevada ransomware attack started months before it was discovered, per report

“Nevada’s teams protected core services, paid our employees on time, and recovered quickly — without paying criminals,” Gov. Joe Lombardo said Wednesday in a statement announcing the report. “This is what disciplined planning, talented public servants, and strong partnerships deliver for Nevadans.”

The attack came on the heels of a long series of cybercrimes against states and municipalities in recent years.

In 2024, Georgia’s largest county was hit with a cyberattack where hackers shut down office phone lines and threatened to publicly release sensitive data they claimed to have stolen unless officials paid ransom. The ransomware syndicate LockBit took credit for the cyberattack in late January that temporarily crippled government services in Fulton County.

Cybercriminals hacked Rhode Island’s system for health and benefits programs and released files to a site on the dark web in 2024.

The Colorado Department of Transportation’s computer network was targeted in a ransomware attack in 2018 by two Iranian computer hackers, though no money was paid and no information was lost.

When Baltimore was hit in 2019 with a ransomware attack that crippled the city’s services for a month, it was estimated to cost at least $18.2 million. A year before, a ransomware attack slammed Baltimore’s 911 dispatch system.

Nevada officials maintain the state did not pay the ransom, the amount of which was not disclosed. The attacker has yet to be identified, and the incident is still under investigation.

The attack against Nevada was a “fairly large ransomware against a state,” according to Gregory Moody, director of cybersecurity programs at UNLV. This attack was able to spread through the state more quickly because of the decentralized nature of Nevada’s cyber systems, he said.

Nevada’s response time was good compared to others, he said. It typically takes between seven and eight months to discover an attacker in a system, and Nevada officials caught it faster than is usual, Moody said.

The attack cost 4,212 in overtime hours – or about $211,000 in direct overtime wages – and $1.3 million for help from contractors, according to the report. The $1.3 million was paid for by the state’s cyber insurance, according to the governor’s office.

The cost could have been much higher, Moody said. When a data breach targeted the Las Vegas-based MGM Resorts in 2023, it was expected to cost the casino giant more than $100 million.

“I think they got lucky,” said Cameron Call, chief technology officer at the Las Vegas-based cybersecurity company Blue Paladin. “It sounds low compared to some; I don’t know that it’s taking into account the economic cost for the state being down for as long as it was.”

On May 14, a state employee accidentally downloaded a malware-laced system administration tool that was made to mimic a tool frequently accessed by IT personnel, according to the after-action report. That installed a hidden backdoor to give the attacker access, investigators with the cybersecurity firm Mandiant found.

By August, the attacker established encrypted tunnels and used a remote desktop protocol to move across the state’s system, gaining access to the state’s password vault server.

The attacker created a zip file containing sensitive data, including personal information of one former state employee, who was notified, according to the report. Investigators have not found that data was successfully extracted or published on a site.

The report includes steps the state is taking and recommendations to better protect the state in the future, such as creating a centrally-managed security operations center and deploying endpoint detection and response, a platform to improve threat detection.

Cybersecurity experts, however, say those are standard protocols that the state should have been doing for years.

“The recommendations that they put forward are definitely solid, but, you know, they’ve been best practice for quite a while,” Call said.