The State of Nevada suffered a prolonged ransomware attack initiated in May 2023 when an employee unknowingly downloaded malware disguised as an IT administration tool. The breach escalated by August, disrupting critical government services for nearly a month. Key impacts included: - Service outages: Residents couldn’t obtain driver’s licenses, employers faced delays in background checks, and state workers were placed on paid leave. - Financial cost: Recovery expenses reached $1.5 million ($211K in overtime, $1.3M for contractors, covered by cyber insurance), with additional economic losses from prolonged downtime. - Data risk: Attackers accessed a password vault and exfiltrated a zip file containing personal data of at least one former employee, though no evidence confirmed public exposure. The attack exploited Nevada’s decentralized cybersecurity infrastructure, spreading rapidly. - Operational strain: The state avoided paying ransom but required 4,212 overtime hours and external cybersecurity support (Mandiant) to contain the breach. Investigations remain ongoing, with the attacker unidentified. - Broader context: The incident aligns with a rising trend of state-level ransomware attacks, including similar disruptions in Georgia (Fulton County), Rhode Island (health data leaks), and Baltimore (911 system outages).
Source: https://www.newsday.com/news/nation/nevada-cyberattack-ransomware-r33842
TPRM report: https://www.rankiteo.com/company/nv-gto
"id": "nv-5662056110625",
"linkid": "nv-gto",
"type": "Ransomware",
"date": "5/2023",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': 'Nevada residents (disrupted '
'services), employers '
'(background checks)',
'industry': 'public administration',
'location': 'Nevada, USA',
'name': 'State of Nevada',
'type': 'government'}],
'attack_vector': 'malicious software download (disguised as a legitimate IT '
'tool)',
'customer_advisories': ['Notification to the affected former state employee.',
'Public updates on service restoration progress.'],
'data_breach': {'data_encryption': 'yes (encrypted tunnels used by attacker)',
'data_exfiltration': 'unconfirmed (zip file created but no '
'evidence of extraction or publication)',
'number_of_records_exposed': '1 (confirmed)',
'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'moderate (personally identifiable '
'information)',
'type_of_data_compromised': ['personal information (one '
'former state employee)']},
'date_detected': '2023-08',
'date_publicly_disclosed': '2024-02-21',
'date_resolved': '2023-09',
'description': "A ransomware attack on Nevada's state government systems, "
'discovered in August 2023 but originating as early as May '
'2023, disrupted services for nearly a month. The attack was '
'initiated when a state employee mistakenly downloaded '
'malicious software disguised as a legitimate IT tool. The '
'incident cost at least $1.5 million in recovery efforts, '
'including overtime wages and contractor assistance, but no '
'ransom was paid. Sensitive data, including personal '
'information of one former employee, was compromised but not '
'confirmed to be exfiltrated or published.',
'impact': {'brand_reputation_impact': 'moderate (publicized disruption of '
'state services)',
'data_compromised': 'personal information of at least one former '
'state employee',
'downtime': 'nearly one month',
'financial_loss': '$1.5 million (recovery cost: $211,000 in '
'overtime wages + $1.3 million for contractors, '
'covered by cyber insurance)',
'identity_theft_risk': "low (only one former employee's data "
'confirmed compromised; no evidence of '
'exfiltration)',
'operational_impact': ['state workers on paid administrative leave',
'disruption of driver’s license issuance',
'halted background checks for employers',
'potential economic cost to the state '
'(undisclosed)'],
'systems_affected': ['state government IT systems',
'driver’s license services',
'background check systems',
'password vault server']},
'initial_access_broker': {'backdoors_established': 'yes (hidden backdoor for '
'persistent access)',
'data_sold_on_dark_web': 'no (no evidence of '
'exfiltration or '
'publication)',
'entry_point': 'malware-laced system administration '
'tool (downloaded by state employee '
'on 2023-05-14)',
'high_value_targets': ['password vault server',
'sensitive data (personal '
'information)'],
'reconnaissance_period': 'May 2023 – August 2023 '
'(~3 months)'},
'investigation_status': 'ongoing (threat actor unidentified)',
'lessons_learned': ['Decentralized cyber systems accelerated attack spread.',
'Importance of centralized security operations center '
'(SOC).',
'Need for endpoint detection and response (EDR) '
'platforms.',
'Human error (malware download) as a critical '
'vulnerability.'],
'motivation': 'financial (ransomware)',
'post_incident_analysis': {'corrective_actions': ['Planned deployment of '
'endpoint detection and '
'response (EDR).',
'Centralization of security '
'operations (SOC '
'establishment).',
'Review of password vault '
'security protocols.',
'Enhanced employee training '
'on cybersecurity best '
'practices.'],
'root_causes': ['Human error (accidental malware '
'download).',
'Decentralized IT systems enabling '
'rapid attack spread.',
'Lack of endpoint '
'detection/response (EDR) at time '
'of attack.',
'Insufficient monitoring of remote '
'desktop protocol (RDP) usage.']},
'ransomware': {'data_encryption': 'yes (files encrypted; zip file created '
'with sensitive data)',
'data_exfiltration': 'unconfirmed',
'ransom_demanded': 'undisclosed',
'ransom_paid': 'no'},
'recommendations': ['Establish a centrally-managed security operations center '
'(SOC).',
'Deploy endpoint detection and response (EDR) platforms.',
'Improve threat detection capabilities.',
'Enhance employee cybersecurity training '
'(phishing/malware awareness).',
'Strengthen password vault security and access controls.'],
'references': [{'date_accessed': '2024-02-21',
'source': 'Associated Press (via Las Vegas Review-Journal)',
'url': 'https://www.reviewjournal.com/news/nevada/nevada-cyberattack-cost-1-5-million-to-recover-report-says-2950010/'},
{'date_accessed': '2024-02-21',
'source': 'Nevada Governor’s Office (After-Action Report)'},
{'date_accessed': '2024-02',
'source': 'Mandiant Investigation Findings'}],
'regulatory_compliance': {'fines_imposed': 'none'},
'response': {'communication_strategy': ['governor’s public statement '
'(2024-02-21)',
'after-action report release'],
'containment_measures': ['encrypted tunnels disabled',
'remote desktop protocol access '
'restricted'],
'enhanced_monitoring': 'planned (endpoint detection and response '
'deployment)',
'incident_response_plan_activated': 'yes',
'law_enforcement_notified': 'yes (under investigation)',
'recovery_measures': ['system restoration over ~1 month',
'overtime hours (4,212) for IT staff'],
'remediation_measures': ['password vault server secured',
'malicious backdoor removed'],
'third_party_assistance': [{'name': 'Mandiant (cybersecurity '
'firm)',
'role': 'investigation'},
{'name': 'contractors (unspecified)',
'role': 'recovery'}]},
'stakeholder_advisories': ['Governor Joe Lombardo’s public statement '
'(2024-02-21).',
'After-action report released to stakeholders.'],
'title': 'Nevada State Government Ransomware Attack (2023)',
'type': 'ransomware',
'vulnerability_exploited': 'human error (accidental download of malware-laced '
'system administration tool)'}