The Nevada GTO suffered a ransomware attack initiated on May 14 via a malicious fake system administration tool downloaded by an employee from a spoofed website, with paid ads boosting its visibility (SEO poisoning). The attack disrupted state systems on August 24, forcing a 28-day recovery and network shutdowns across 60 state offices, including critical agencies like the Nevada Health Authority (reverting to paper processes) and the Department of Motor Vehicles (canceling appointments, halting online communications with auto dealers, and waiving late fees). While 90% of encrypted data was recovered, backup data was deleted, extending downtime. 26 user accounts (including administrative) were compromised, and a backdoor persisted post-removal. Overtime costs reached 4,212 hours, with $7M in cyber insurance partially offsetting losses. Services like SNAP, TANF, and WIC continued via workarounds, but state employees/retirees were paid on time. No ransom was paid, and exfiltration remains unconfirmed but under monitoring. The attack exposed gaps in endpoint detection and prompted reviews for a state SOC (Security Operations Center) and additional grant-funded security tools.
Source: https://www.govtech.com/security/report-ids-source-of-nevada-cyber-attack-looks-ahead
TPRM report: https://www.rankiteo.com/company/nv-gto
"id": "nv-2862228110625",
"linkid": "nv-gto",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'State employees, retirees, and '
'residents relying on state '
'services (e.g., SNAP, DMV)',
'industry': 'Public Administration',
'location': 'Nevada, USA',
'name': 'Nevada Governor’s Technology Office (GTO)',
'type': 'Government Agency'},
{'customers_affected': 'Recipients of SNAP, TANF, and '
'WIC programs',
'industry': 'Healthcare',
'location': 'Nevada, USA',
'name': 'Nevada Health Authority',
'type': 'Government Agency'},
{'customers_affected': 'Residents with appointments, '
'Auto Dealers of Nevada '
'(business partner)',
'industry': 'Transportation',
'location': 'Nevada, USA',
'name': 'Nevada Department of Motor Vehicles (DMV)',
'type': 'Government Agency'}],
'attack_vector': ['Malware (fake system administration tool)',
'Spoofed website (SEO poisoning via paid ads)',
'Backdoor established post-intrusion'],
'customer_advisories': ['DMV: Waived late fees/expiration dates, honored '
'walk-ins during outage',
'Nevada Health Authority: Assured continuation of '
'WIC/SNAP/TANF benefits via workarounds'],
'data_breach': {'data_encryption': 'Yes (90% of encrypted data recovered)',
'data_exfiltration': 'Not confirmed (monitoring continues)'},
'date_detected': '2023-08-24',
'date_publicly_disclosed': '2023-08-27',
'date_resolved': '2023-09-21',
'description': 'A ransomware attack on the Nevada Governor’s Technology '
'Office (GTO) began on August 24, disrupting state systems and '
'prompting network shutdowns. The attack originated from '
'malware downloaded by an employee on May 14 from a spoofed '
'website, facilitated by SEO poisoning via paid ads. The '
'incident affected 60 state offices, including critical '
'services like the Nevada Health Authority and DMV. Recovery '
'took 28 days, with 90% of encrypted data successfully '
'restored. No ransom was paid, and no data exfiltration was '
'confirmed, though monitoring continues. The state’s incident '
'response plan was activated, involving third-party firms like '
'Mandiant and BakerHostetler LLP. Overtime costs totaled 4,212 '
'hours, and the state had $7 million in cyber insurance. '
'Post-incident, reviews are underway for a state SOC and '
'unified endpoint detection/response system.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'service disruptions (e.g., DMV, health '
'services)',
'downtime': '28 days',
'financial_loss': ['4,212 hours of overtime',
'$7 million in cyber insurance (associated '
'costs covered)'],
'operational_impact': ['Nevada Health Authority: reverted to paper '
'processes for SNAP, TANF, and WIC programs '
'(WIC unaffected due to management '
'structure)',
'DMV: cancelled appointments (2+ days), '
'honored walk-ins, waived late '
'fees/expiration dates, disrupted '
'communication with Auto Dealers of Nevada',
'State employees/retirees paid on time (no '
'disruption)'],
'systems_affected': ['State network (shutdown)',
'Backup data (deleted)',
'Office 365 (required recovery assistance '
'from Microsoft)',
'60 state offices (including Nevada Health '
'Authority, DMV)']},
'initial_access_broker': {'backdoors_established': 'Yes (persisted '
'post-malware removal)',
'entry_point': 'Employee downloaded malware from '
'spoofed website (fake system '
'administration tool)',
'high_value_targets': 'Administrative accounts (26 '
'user accounts compromised)',
'reconnaissance_period': 'May 14, 2023 to August '
'24, 2023 (~3.5 months)'},
'investigation_status': 'Completed (after-action report published; ongoing '
'monitoring for data exfiltration)',
'lessons_learned': ['Importance of continuous security platform '
"diversification ('cybersecurity layer cake')",
'Need for real-time threat hunting and backdoor detection',
'Value of pre-existing incident response plans and cyber '
'insurance',
'Criticality of backup resilience (backup data was '
'deleted in the attack)',
'Opportunity to invest in state SOC and unified endpoint '
'detection/response'],
'motivation': 'Financial (ransomware)',
'post_incident_analysis': {'corrective_actions': ['Review of state SOC and '
'endpoint '
'detection/response systems',
'Request for Cybersecurity '
'Grant Program funds',
'Enhanced monitoring for '
'data exfiltration',
'Potential investment in '
'additional security tools '
'(e.g., threat hunting)'],
'root_causes': ['Employee error (downloaded '
'malware from untrusted source)',
'Delayed detection of initial '
'intrusion (May to August)',
'Insufficient backup resilience '
'(backup data deleted)',
'Lack of real-time backdoor '
'detection post-malware removal']},
'ransomware': {'data_encryption': 'Yes (partial recovery)',
'data_exfiltration': 'Not confirmed',
'ransom_demanded': 'Yes (amount not specified)',
'ransom_paid': 'No'},
'recommendations': ['Release of State and Local Cybersecurity Grant Program '
'funds for additional security tools',
'Establishment of a state SOC (Security Operations '
'Center)',
'Implementation of unified endpoint detection and '
'response system',
'Enhanced employee training to prevent malware downloads '
'from untrusted sources',
'Review of third-party risk management (e.g., spoofed '
'websites, SEO poisoning)'],
'references': [{'date_accessed': '2023-11-05',
'source': 'Nevada GTO After-Action Report'},
{'date_accessed': '2023-10-16',
'source': 'State CIO Timothy Galluzi’s Testimony'},
{'date_accessed': '2023-08-27',
'source': 'State of Nevada Press Conference'}],
'response': {'communication_strategy': ['Press conference (August 27)',
'After-action report (published '
'November 5)',
'Testimony by State CIO Timothy '
'Galluzi (October 16)'],
'containment_measures': ['Network shutdowns',
'Removal of malicious software (though '
'backdoor persisted)'],
'enhanced_monitoring': 'Ongoing monitoring for potential data '
'exfiltration',
'incident_response_plan_activated': 'Yes (immediately)',
'recovery_measures': ['Workarounds (e.g., paper processes for '
'health services)',
'Waived fees/leniency for DMV-related '
'disruptions',
'Overtime labor (4,212 hours)'],
'remediation_measures': ['Data recovery via Dell (90% of '
'encrypted data restored)',
'Office 365 recovery with Microsoft',
'Review of state SOC and endpoint '
'detection/response systems'],
'third_party_assistance': ['BakerHostetler LLP (law firm)',
'Mandiant (cyber firm)',
'Dell Recovery Support (data '
'recovery)',
'Microsoft (Office 365 recovery)']},
'stakeholder_advisories': ['Interim Finance Committee (review of SOC funding '
'requests for 2023/2025)',
'University of Nevada, Las Vegas (research on '
'state SOC establishment)'],
'title': 'Nevada Governor’s Technology Office (GTO) Ransomware Attack',
'type': 'Ransomware Attack',
'vulnerability_exploited': ['Employee downloaded malware from untrusted '
'source',
'Lack of real-time detection for initial '
'intrusion (May 14 to August 24)',
'Compromised administrative accounts (26 user '
'accounts, including admin-level)']}