Nevada's Ransomware Wake-Up Call: Lessons Learned for Security Teams
When the State of Nevada's systems went dark on August 24th, it could have become just another statistic in the growing list of government ransomware attacks. Instead, it became something far more valuable: a teachable moment for the entire cybersecurity community.
Nevada did something remarkable—they published a complete, transparent after-action report detailing every step of the attack and their recovery. This level of openness is rare, especially from government agencies, and it offers security professionals invaluable insights into how modern attacks unfold and how organizations can respond effectively.
The Attack: A Timeline of Compromise
The Invisible Beginning (May 14)
The breach didn't start with sophisticated zero-day exploits or advanced persistent threats. It started with something far more mundane: a Google search.
A state employee needed to download a legitimate system administration tool. They searched for it, and instead of finding the real software, they clicked on a malicious advertisement at the top of the search results. This led to a fake website that looked identical to the legitimate one, offering a trojanized version of the tool.
The reality check: Even experienced IT staff can fall victim to convincing impersonation. The threat actors deliberately target system administration tools because they know the people downloading them likely have elevated network access.
The Silent Months (May-August)
Once executed, the malware established a hidden backdoor that automatically connected to the attacker's infrastructure whenever the user logged in. This gave the hackers persistent remote access to Nevada's internal network.
Here's where things get concerning: On June 26, the state's antivirus software (Symantec Endpoint Protection) actually detected and quarantined the malicious tool. It even deleted it from the workstation. Victory, right?
Wrong. The persistence mechanism—the backdoor—survived. The attackers still had their foothold.
The Preparation Phase (August 5-16)
With summer winding down, the attackers began preparing for their final assault:
August 5: They installed commercial remote-monitoring software capable of screen recording and keystroke logging
August 14-16: They deployed custom encrypted tunneling tools to bypass security controls and established Remote Desktop Protocol (RDP) sessions across multiple critical systems
This lateral movement allowed them to hop between servers like stepping stones across a pond, eventually reaching the crown jewel: the password vault server. From there, they compromised 26 accounts and accessed over 26,000 files.
To cover their tracks? They wiped event logs—the digital equivalent of erasing security camera footage.
The Final Strike (August 24)
The attackers executed their plan with surgical precision:
Step 1: Delete all backup volumes from the backup server (removing the organization's ability to easily recover)
Step 2: Modify virtualization server security settings to allow unsigned code execution
Step 3: At 8:30 AM UTC, deploy ransomware across all servers hosting the state's virtual machines
Twenty minutes later, at 1:50 AM local time, Nevada's IT team detected the outage. The clock started ticking on what would become a 28-day recovery marathon.
The Response: Resilience Over Ransom
Nevada made a critical decision: they would not pay the ransom. Instead, they would recover through their own capabilities.
The numbers tell an impressive story:
50 state employees worked 4,212 overtime hours
Overtime costs: $259,000
External vendor support: $1.3 million (primarily Microsoft DART, Mandiant, and various recovery specialists)
Time to recover: 28 days to restore 90% of critical systems and data
Estimated savings: $478,000 compared to using contractors instead of staff overtime
But more importantly than the money saved, Nevada maintained critical services. Payroll continued. Public safety communications stayed online. Citizen-facing systems came back quickly.
Five Critical Lessons for Security Professionals
1. Search Engine Advertisements Are a Major Threat Vector
Malvertising (malicious advertising) isn't just annoying—it's dangerous. Threat actors are paying to place their fake websites at the top of search results for popular IT tools like WinSCP, PuTTY, KeePass, and AnyDesk.
What you can do:
Educate your staff about this threat vector
Bookmark legitimate download sources and distribute them internally
Consider using browser extensions that block ads on corporate devices
Implement application whitelisting to prevent unauthorized software execution
Use endpoint detection and response (EDR) tools that can detect unusual installation patterns
2. Detection Isn't Elimination
Nevada's antivirus detected and removed the initial malware in June—but the attack still succeeded in August. Why? Because the persistence mechanism survived.
Modern malware is designed with resilience in mind. It's not enough to remove the payload; you must eliminate all footholds.
What you can do:
When malware is detected, assume persistence mechanisms exist
Conduct thorough forensic investigations following any detection
Look for unusual scheduled tasks, registry modifications, or new services
Consider reimaging compromised systems rather than just cleaning them
Review all accounts that logged into affected systems for suspicious activity
3. Your Backups Are a Primary Target
The attackers' penultimate move was to delete all backup volumes. This is now standard ransomware playbook behavior. If they can destroy your backups, they significantly increase the pressure to pay the ransom.
What you can do:
Implement the 3-2-1 backup rule: 3 copies, 2 different media types, 1 offsite
Use immutable backups that cannot be deleted or modified
Restrict access to backup systems with dedicated accounts
Regularly test your backup restoration process
Consider air-gapped backups that are physically disconnected from your network
Monitor backup deletion attempts as high-priority security alerts
4. Lateral Movement Detection Is Critical
The attackers spent months quietly moving through Nevada's network, eventually reaching privileged systems. Each hop should have been a detection opportunity.
What you can do:
Implement network segmentation to limit lateral movement
Monitor for unusual RDP connections between systems
Deploy deception technology (honeypots) to detect reconnaissance
Use privileged access management (PAM) solutions
Enable logging on all critical systems and aggregate logs centrally
Alert on unusual account usage patterns, especially for administrative accounts
5. Transparency Has Value
Nevada's decision to publish a detailed after-action report is commendable and rare. Most organizations (government or private) keep breach details confidential, citing security or legal concerns.
But transparency serves multiple purposes:
It helps the broader security community learn and improve
It demonstrates accountability and builds public trust
It pressures other organizations to improve their own security
It provides valuable threat intelligence
What you can do:
Develop incident response plans that include post-incident analysis
Share lessons learned with industry peers (even anonymously)
Contribute to threat intelligence sharing communities
Consider publishing redacted after-action reports for significant incidents
The Bigger Picture: Prevention vs. Response
This incident perfectly illustrates a fundamental truth in cybersecurity: prevention is ideal, but response capability is essential.
Nevada couldn't prevent the initial compromise (though better controls might have), but their response was exemplary:
Immediate detection of the ransomware deployment
Decisive action refusing to pay the ransom
Coordinated response involving internal staff and external experts
Effective recovery restoring 90% of critical systems in under a month
Continuous improvement implementing recommended security enhancements
Practical Action Items for Your Organization
Walking away from this case study, here are concrete steps you can implement:
Immediate (This Week):
Audit your software download sources and create an approved list
Review who has access to your backup systems
Check if event logs are being forwarded to a central, protected location
Short-term (This Month):
Conduct a malvertising awareness training session
Test your backup restoration process
Review privileged account usage and implement monitoring
Deploy multi-factor authentication (MFA) on all administrative accounts
Long-term (This Quarter):
Implement network segmentation for critical systems
Deploy or enhance EDR capabilities
Establish an incident response retainer with a specialized firm
Develop immutable backup capabilities
Create and test a ransomware-specific incident response plan
Final Thoughts
The Nevada ransomware attack wasn't prevented, but it was survived—and survived well. The state's combination of prepared staff, external expertise, and refusal to fund criminal enterprises resulted in a recovery that, while costly, was far less devastating than it could have been.
More importantly, their transparency provides a roadmap for other organizations. Every security professional should read their full after-action report and ask: "If this happened to us tomorrow, would we be ready?"
The answer to that question might be uncomfortable, but it's better to face it now than at 1:50 AM when your systems are encrypted and your backups are gone.
Stay vigilant, stay prepared, and most importantly—stay learning.
Have you dealt with a ransomware incident in your organization? What lessons did you learn? Share your (appropriately redacted) experiences in the comments below. And if you found this analysis helpful, consider subscribing for more deep dives into real-world cybersecurity incidents.
This post was generated automatically. Please review before publishing.