Nevada Ransomware Attack: Inside the $1.3M Recovery After Zero-Ransom Strategy
Authorities in the U.S. state of Nevada have released a detailed technical report dissecting a large-scale cyberattack that encrypted government systems with ransomware. The document provides an exhaustive account of the attackers’ actions, their methods of infiltration, and the measures taken to restore operations.
The publication stands out as a rare example of transparency in handling a cybersecurity incident that affected more than sixty state agencies, disrupting both digital and telephone services. Recovery took nearly a month, yet despite the scale of the damage, no ransom was paid—the majority of critical data needed to resume operations was successfully restored through the efforts of the state’s own technical teams.
The initial compromise occurred on May 14, when an employee from one of the agencies downloaded a malicious version of a system utility from a counterfeit website disguised as an official source. The link, placed in a sponsored search result, led to the installation of remote access malware instead of the legitimate software.
This infection vector is becoming increasingly common: spyware posing as popular legitimate tools such as WinSCP, PuTTY, KeePass, or AnyDesk is often used to gain privileged access to corporate networks. In this case, the malware established a command-and-control connection every time the user logged in, allowing the attackers to maintain persistence even after the original file had been deleted by antivirus software.
By summer, the attackers had installed commercial remote monitoring software on the compromised host, enabling screen recording and keystroke capture. Later, they deployed a custom encrypted tunneling tool, which helped them bypass security controls and move laterally within the network. Through RDP exploitation, they obtained credentials for 26 accounts, including those granting access to the password vault. To conceal their activity, event logs were erased.
The incident response team from Mandiant confirmed unauthorized access to over 26,000 files, including sensitive information, though no evidence of data exfiltration or public leaks was found. However, on August 24, the attackers deleted backup copies and altered hypervisor settings to permit the execution of unsigned components. At 08:30 UTC, the ransomware deployment began, swiftly encrypting all servers hosting virtual machines. Within twenty minutes, staff from the Office of Information Technology detected the outages and initiated recovery procedures.
The state’s principled stance was to refuse any ransom payment. Instead, it mobilized internal resources: fifty employees logged over 4,000 hours of overtime, costing $259,000, but enabling the rapid restoration of critical services, including payroll systems and emergency communications. External partners such as Microsoft, Mandiant, Aeris, and the law firm BakerHostetler were brought in for additional support, bringing the total recovery expenditure to approximately $1.3 million.
Although the perpetrators remain unidentified and no major ransomware group has claimed responsibility, the incident is cited as a notable example of effective crisis response. The report highlights that one of the top post-incident priorities was strengthening the security of the state’s most sensitive systems. Obsolete accounts were deleted, passwords reset, certificates renewed, and access permissions reassessed.
Officials acknowledge, however, that further investment in cybersecurity is essential—particularly in continuous monitoring and rapid incident response—as adversaries’ tactics continue to evolve.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
