Nevada government declined to pay ransom, says cyberattack traced to breach in May

The state government of Nevada did not pay a ransom to cybercriminals who took down critical government systems in August, the state said in a post-mortem review of the attack.

With the help of the FBI, Mandiant and several other organizations, the state was able to rebound from the ransomware attack in 28 days and recover about 90% of the impacted data. The remaining data “was not required to restore essential services and is being reviewed on a risk-basis,” state officials explained in the report.

The report does not name the ransomware gang behind the attack nor the ransom demand. Officials said the decision not to pay “was not made lightly” and was based on their confidence in the ability to use backups to restore impacted systems.

The cybersecurity firm Mandiant was able to trace the ransomware attack back to a search engine optimization poisoning campaign where an attacker embedded malicious code into a trusted online resource frequently accessed by state IT personnel. 

“The investigation revealed that the threat actor had infiltrated the system as early as May 14, 2025, when a state employee unknowingly downloaded a malware-laced system administration tool from a spoofed website,” the report said, adding that the hacker “leveraged legitimate Google advertisements as a vector to deliver the malware package.” 

“This tool installed a hidden backdoor, which remained active despite Symantec Endpoint Protection quarantining the tool on June 26. The attacker escalated their access by installing a commercial remote monitoring software, on multiple systems, compromising both standard and privileged user accounts.” 

Between August 16 and August 24, the hacker moved laterally across critical systems and accessed sensitive directories, including the password vault server. They cleared logs to cover their tracks and deleted backups before deploying the ransomware. 

The investigation found that 26,408 files were accessed but only one document contained the personal information of a former employee who has since been notified. 

Investigators did not find any evidence that data was exfiltrated or posted to a ransomware leak site but they are continuing to monitor the incident. No ransomware gang has come forward to claim the attack as of Thursday. 

State Chief Information Officer Timothy Galluz explained they believe there is a low likelihood of a material impact on the state but they are continuing to monitor the situation. 

In total, the state spent more than $259,000 in overtime payments to 50 state employees who worked 4,212 overtime hours between August 24 and September 20. External vendor costs reached $1.3 million. 

The most critical agencies affected were the Department of Health, Department of Motor Vehicle Services and Department of Public Safety, according to the report. Government offices were closed for several days after the initial attack while phones and websites for several agencies were taken down by the hackers. 

“Nevada’s teams protected core services, paid our employees on time, and recovered quickly — without paying criminals,” Governor Joe Lombardo said in a statement.

Throughout the 28 days of outages caused by the attack, the governor’s office said it coordinated with more than 60 state agencies and multiple vendors to respond to the incident. The Department of Homeland Security assisted the FBI and local law enforcement in assisting the recovery effort. 

The report notes that a priority of the recovery was restoring the state payroll systems so government employees could be paid. It outlines a plan to further harden state systems, segment departments from each other and deploy security tools more widely. 

The attack on the state coincided with the federal government’s cutting of critical services used by local governments for cybersecurity. 

The Department of Homeland Security slashed hundreds of employees at the Cybersecurity and Infrastructure Security Agency earlier this year and continues to remove employees even after multiple governments across the U.S. have seen critical services taken offline by cyberattacks. 

Over the last two weeks, cyber incidents were reportedly impacting governments in Texas, Tennessee and Indiana. Another county in South Carolina disclosed an incident on Wednesday.