Nevada’s 2025 Ransomware Incident: Case Study in Detection, Response, and Recovery

The entry point of the attack on the state of Nevada that impacted multiple systems and agencies began with a social engineering/phishing technique known as SEO poisoning.

SEO poisoning is where threat actors will use deceptive practices to attempt to position their malicious website as legitimate in search rankings so it looks similar to a site a searcher is looking for, and one they will be familiar with. This website will often push malware of other malicious actions when visited by the user. sometimes known as HTTPS phishing, where these sites also have SSL certificates to appear legitimate.

The website that the state employee was searching for was a regularly used system administration tool that the threat actor had spoofed to look like the legitimate site. The spoofed website led to a trojanized version of the tool being downloaded, laced with malware, that led to the initial compromise of the state’s systems on May 14, 2025.

Endpoint detection and protection was able to quarantine and delete the malicious system administration tool that was downloaded from the spoofed website on June 26. However, the hidden backdoor that it created on the network, so the persistent mechanism remained active on the system and through the state’s network.

Though access through a hidden backdoor was gained on May 14, the threat actor used three months of reconnaissance (learning the system, gaining information without being detected) before installing remote software to conduct screen recording and log keystrokes on August 5. Another user’s system was compromised with the remote monitoring software on August 15. The tools installed through the malware and backdoor led to stolen information that allowed them to eventually bypass security controls to access systems remotely and steal passwords to multiple accounts.

In between the threat actor’s actions of installing remote monitoring software on the first system and the second, a customized encryption tunnel was deployed that enabled the ability to bypass security controls, and facilitate Remote Desktop Protocol access within the network.

Also within the same timeline (August 16-24), the threat actor used RDP access to move between servers, multiple directories, services, files, including a password vault, where 26 account passwords were stolen.

What made this access even more challenging to track was the threat actor’s ability to clear event logs to cover up what would have been monitored as suspicious activity. Had that activity been discovered before the deployment of ransomware, the threat actor’s access could been contained and eradicated to thwart the attack, saving time and money.

The roughly 100 days of dwell time in the network is much longer than the average dwell time per attack of 60 days, per IBM.

The longer a threat actor has access to a system, networks and files undetected, it gives them more time to conduct reconnaissance. When threat actors persist in critical networks over a long period of time without proper detection, eradication and remediation, the more chances they have to move laterally throughout the network, end up with unauthorized access to sensitive accounts that have increased privileges, and they can gain more sensitive and valuable information they will use for leverage in a ransom demand.

In this particular case, the long dwell time in the network allowed the threat actor to increase its access to systems in the network that led to the shutdown of multiple state services used by the public. Some of those networks were used by DPS, dispatch, the DMV, courts and other citizen facing services.

Before ransomware was deployed, the threat actors were able to use encrypted tunnels that allowed them to bypass network defensives and establish remote desk protocol (RDP) control between systems. While accessing services for passwords and other credentials, the threat actors also cleared their event logs to hide trades of their movements that would have triggered suspicious activity. When attackers can dwell in networks like this, and move laterally, it’s important to have a baseline of network activity and access logs. The ability to erase activity logs makes it harder to detect their presence for the people trying to defend and monitor network activity.

Let’s look at the timeline of events that led to detection (when the ransomware was deployed) after the issue was believed to be resolved with the removal of the malicious tool downloaded in June. This will demonstrate the time between the ransomware deployment, the ability to detect the issues, and how quickly action was taken to begin the response process.

The following events all happened on August 24, 2025.

Though the threat actor was able to use three months to conduct reconnaissance through the encrypted tunnels, RDP, and deleting event logs, the escalation process from discovery to response showed careful preparation for this type of event.

The system outage was discovered early in the morning, overnight, on August 24 and in six hours. Once it was determined this was an incident that required further investigation, it was escalated to the state and CIO of Nevada. From there, it took around two hours to regained access to these VMs and find the ransom note from the incident. Within three hours, the team was able to confirm it had isolated the affected machines to prevent the ransomware from spreading to other systems.

In the next four hours, third party vendors and outside services were notified to assist in the response and recovery process.

In less than 24 hours after the ransomware attack took the VMs offline, the state was able to follow the NIST incident response timeline to escalate the incident, response and initiate the recovery processes.

When threat actors gain access to your network and can evade detection through techniques like deleting access logs, it can be difficult to eradicate the source of the original issue. Once ransomware is deployed, and the threat actor is no longer undetected, by choice at this stage, the response plan of the organization is tested. The ability to move from discovery, escalation, response, and recovery, are critical to minimizing downtime, reducing impact and financial loss.

With multiple VMs being affected and the threat actor being able to move laterally throughout the network, and gain access to multiple, high level credentials, the list of impacted agencies spanned over 60, including:

Verification systems in public safety and other identification services that are public facing are important to have 100% uptime. When they incur outages, it can have an impact that slows response times, processes, and delaying other critical services and efforts.

Uptime, continuity and redundancy are all hallmarks of a properly operational public safety network. Even when these networks are the main target or entry point of an attack, this incident shows that these public safety services and systems can be heavily impacted by intrusions into statewide IT systems and functions. The uptime of these systems and services are heavily dependent on functioning and protected state network systems.

The state took the first important step to cut off access to other VM and systems by isolating the known affected machines and systems first.

Isolating the systems allowed the state to contain the threat to the already affected systems, and confirm that the threat actor was no longer present in the system after leaving the ransom note and isolation the system.

Once they were able to isolate systems, that allowed the state to take the next step to recovery and bring in external incident response partners (cybersecurity, legal team, etc) to take the steps towards recovery, communication of that plan and execution.

What made the recovery process slower for the state is that before the threat actor deployed ransomware and encrypted files and data on the systems on August 24, they also deleted backup volumes and data.

The government’s technology office engaged DELL Recovery Support once this was discovered. The support team was able to recover 90% of the data over a 28 day period.

Having offline, offsite backups that aren’t connected to your network so that they are impenetrable to attacks is key to a quicker recovery process than contacting outside firms and waiting to a restore.

The state of Nevada was proactive in securing support by state legislature about three years prior to invest in cyber insurance. This initiative led to the state’s cyber insurance provider recommending a cybersecurity firm to lead the ransomware response and recovery process. The firm’s expertise in handling ransomware threats allowed the state government to rely on the cyber insurance to provide the services and avoid feeling the pressure to pay the ransom, of which the price was never disclosed.

A full Active Directory rebuild started almost immediately thanks to its vendor network, as Dell’s team worked alongside internal IT personnel to retire redundancy points.

The recovery process was smooth and quick thanks to implementing tiering models for segmentation as well as deploying Windows LAPS (local administrator password solution)

During recovery, legacy protocols were disabled for authentication and enabling conditional access, part of implementing zero trust processes.

State passwords were reset during the recovery process. This included all systems and the removal of outdated and unnecessary user accounts. They replaced all old digital keys in order to prevent unauthorized access, something that is addressed in policies such as CJIS Security updates.

With 60+ agencies being impacted, the state had to prioritize which services and agencies to restore by using, and communicating a detailed plan to restore these areas that directly impacted public welfare.

This response and recovery process to keep essential services active and ogoing, a total of 4,212 overtime hours were logged between August 24 and September 20. That estimate of overtime cost the state approximately $259,037.84.

The vendor costs with the cybersecurity provider and Dell totaled $1.3M.

According to Comparitech, in 1,133 confirmed ransomware attacks between 2018 and 2024, the average recovery time for government agencies was 27.8. Based on that study, the recovery time was about average. Nevada was able to recover right on time because of the proactive incident response plan that included an investment in cyber insurance.

The government’s technology office had the proper escalation plan in place and engaged the right decision makers in the process in an efficient timeline. Their legal team had a clear recommendation of a cybersecurity firm and knew which vendors to involve to start the recovery process. They were able to execute the prepared plan immediately once the systems went down and it was determined that ransomware was the cause.

The threat actor’s ability to move laterally throughout different networks after three months of access and undetected reconnaissance, while no doubt damaging in its own way, provided a lot of lessons about the path forward for the state of Nevada’s cybersecurity priorities and other similar agencies.

The steps take to strengthen cybersecurity measures prioritized increasing the difficulty to more laterally through networks when there is an initial compromise. Nevada adopted additional zero trust methodologies to increase segmentation between agencies based on operational needs.

Access was restricted with stronger Access Control Lists (ACLs) to create more barriers to gain administrator level domains, applications and services.

Restricting access between accounts and roles make it harder for threat actors to reach other areas of the network, information and critical systems if they come in through a different entry point.

The governor’s technology office took the step to prevent account credentials that belong to highly privileged accounts from being shared on master keys so that they cannot be used to take over critical systems. Just-in-time (JIT) access that only allows for timed access to login to systems and to data.

With dwell time playing a critical role in this attack, the GTO made the decision to deploy a modern endpoint detection and response (EDR) platform to improve threat detection and response. This increases behavioral visibility as well as network. Another important step for the GTO is the EDR platform integrating with a centralized Security Operations Center (SOC) to properly monitor and respond to potential threats in real time, with the right experience. The GTO made the decision to pursue a centrally managed SOC to prioritize continuity of operations and prepare for emerging threats.

With critical backups being deleted in this attack, the GTO also recognized that third party processes and backup recovery is critical, and taking the step to improve its integrity and immutability with off-site, off-line backups.

Nevada’s GTO recognized that conducting regular incident response exercises across multiple agencies will continue to improve more efficient response efforts and increase continuity among agencies that would be potentially impacted by cyber incident.

The GTO also discovered during this incident that application ownership was an issue and additional process improvement were needed along with regular reviews.

One of the actions the GTO will take moving forward in wake of the incident is expanding employee training that addresses future threats, threat recognition, best practices and incident response. They recognized that while technological and process improvements can protect systems and data when an attack takes place, that people are the front lines of the cybersecurity culture in the organization. They also recognized that a strong security culture along with technology is the key to mitigating future risks.

The most important takeaways from this incident show that cybersecurity, cyber threats and cyber attacks are not just simply confined to any IT department. We saw examples of real life impacts on critical services, systems that are public facing.

Ransomware was the ultimate outcome by encrypting systems, data, deleting backups and demanding a ransom (that was ultimately, correctly unpaid). What led to that being the outcome was the three months of dwell time in the system to conduct reconnaissance, steal credentials, increase privileges, and ultimate gain more access to the networks. Even though the initial malicious tool was believed to be deleted, the encrypted tunnel and ability to delete activity logs allowed the threat actors to remain undetected during this phase that led to the events in this attack.

Overall, the recovery time for the state of Nevada fell in line with the average time is due to its incident response plan, leadership and partnerships with third party services, vendors, and communication between all phases.

The uptime of mission-critical systems relies on preparation, readiness, communication and leadership to make sure these public facing services can be trusted.