The Nevada state government suffered a ransomware attack in August 2025, triggered by an SEO poisoning campaign where a state employee unknowingly downloaded malware from a spoofed website via malicious Google ads. The attacker maintained persistence for months, escalating privileges, clearing logs, and deleting backups before deploying ransomware on August 16–24, crippling critical systems. While 26,408 files were accessed, only one document containing a former employee’s personal data was confirmed compromised. No evidence of exfiltration or public leaks was found, but the attack disrupted core services including the Department of Health, DMV, and Public Safety for 28 days, forcing office closures, phone/website outages, and $1.5M+ in recovery costs (including $1.3M for vendors and $259K in employee overtime). Payroll systems were prioritized for restoration to ensure on-time employee payments. The state refused to pay the ransom, relying on backups and FBI/Mandiant assistance to recover 90% of data. The incident coincided with federal cuts to cybersecurity agencies, highlighting systemic vulnerabilities.
Source: https://therecord.media/nevada-declined-ransom-breach
TPRM report: https://www.rankiteo.com/company/state-of-nevada-department-of-administration
"id": "sta5902259110725",
"linkid": "state-of-nevada-department-of-administration",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'residents and employees relying '
'on state services (e.g., '
'health, motor vehicles, public '
'safety)',
'industry': 'public administration',
'location': 'Nevada, USA',
'name': 'State Government of Nevada',
'type': 'government'},
{'industry': 'healthcare',
'location': 'Nevada, USA',
'name': 'Department of Health (Nevada)',
'type': 'government agency'},
{'industry': 'transportation',
'location': 'Nevada, USA',
'name': 'Department of Motor Vehicle Services (Nevada)',
'type': 'government agency'},
{'industry': 'public safety',
'location': 'Nevada, USA',
'name': 'Department of Public Safety (Nevada)',
'type': 'government agency'}],
'attack_vector': ['SEO poisoning (malicious code in trusted online resource)',
'malware-laced system administration tool from spoofed '
'website',
'legitimate Google advertisements delivering malware',
'hidden backdoor (persisted despite Symantec Endpoint '
'Protection quarantine)',
'commercial remote monitoring software installed on '
'multiple systems',
'lateral movement across critical systems',
'access to password vault server',
'log clearing and backup deletion before ransomware '
'deployment'],
'customer_advisories': ['Public disclosure of incident and recovery progress',
'Notification to affected former employee'],
'data_breach': {'data_encryption': 'yes (ransomware encrypted systems)',
'data_exfiltration': 'no evidence found',
'number_of_records_exposed': '1',
'personally_identifiable_information': 'yes (1 former '
'employee)',
'sensitivity_of_data': 'moderate (personal information of '
'former employee)',
'type_of_data_compromised': 'personal information (1 '
'document)'},
'date_detected': '2025-08-16',
'date_resolved': '2025-09-20',
'description': 'The state government of Nevada experienced a ransomware '
'attack in August 2025, which took down critical government '
'systems. The attack was traced back to an SEO poisoning '
'campaign where malicious code was embedded in a trusted '
'online resource accessed by state IT personnel. The state '
'refused to pay the ransom, relying on backups to restore 90% '
'of impacted data within 28 days. The attack affected multiple '
'agencies, including the Department of Health, Department of '
'Motor Vehicle Services, and Department of Public Safety, '
'leading to temporary closures and service disruptions. No '
'evidence of data exfiltration was found, but 26,408 files '
'were accessed, with one document containing personal '
'information of a former employee.',
'impact': {'brand_reputation_impact': 'potential reputational damage due to '
'service disruptions and public '
'disclosure of attack',
'data_compromised': '1 document containing personal information of '
'a former employee',
'downtime': '28 days (August 16, 2025 – September 20, 2025)',
'financial_loss': '$1.56 million ($259,000 in overtime + $1.3 '
'million in external vendor costs)',
'identity_theft_risk': "low (only one former employee's data "
'exposed)',
'operational_impact': ['government offices closed for several days',
'disruption to critical services (health, '
'motor vehicles, public safety)',
'4,212 overtime hours worked by 50 state '
'employees',
'coordination with 60+ state agencies and '
'multiple vendors'],
'systems_affected': ['Department of Health',
'Department of Motor Vehicle Services',
'Department of Public Safety',
'state payroll systems',
'password vault server',
'government phones and websites']},
'initial_access_broker': {'backdoors_established': 'yes (hidden backdoor '
'persisted despite '
'Symantec quarantine)',
'data_sold_on_dark_web': 'no evidence found',
'entry_point': 'SEO poisoning via trusted online '
'resource (malware-laced system '
'administration tool from spoofed '
'website)',
'high_value_targets': ['password vault server',
'privileged user accounts',
'critical agency systems '
'(Health, DMV, Public '
'Safety)'],
'reconnaissance_period': 'May 14, 2025 – August 16, '
'2025 (3 months)'},
'investigation_status': 'ongoing monitoring (no evidence of data exfiltration '
'as of report date)',
'lessons_learned': ['Importance of robust backup systems (enabled recovery '
'without paying ransom)',
'Need for improved endpoint protection (Symantec failed '
'to fully remediate backdoor)',
'Criticality of network segmentation (to limit lateral '
'movement)',
'Value of third-party expertise (FBI, Mandiant, DHS '
'assistance)',
'Prioritization of essential services (e.g., payroll) '
'during recovery',
'Ongoing monitoring post-incident to detect delayed '
'impacts'],
'motivation': 'financial (ransomware)',
'post_incident_analysis': {'corrective_actions': ['System hardening and '
'segmentation',
'Wider deployment of '
'security tools',
'Enhanced monitoring and '
'detection capabilities',
'Improved backup protection '
'and recovery procedures',
'Security awareness '
'training for employees'],
'root_causes': ['Successful SEO poisoning attack '
'(trusted resource compromised)',
'Employee downloaded malware-laced '
'tool from spoofed website',
'Inadequate endpoint protection '
'(backdoor persisted '
'post-quarantine)',
'Lack of network segmentation '
'(enabled lateral movement)',
'Insufficient backup protection '
'(backups deleted by attacker)',
'Delayed detection (attacker '
'active from May to August)']},
'ransomware': {'data_encryption': 'yes',
'data_exfiltration': 'no evidence found',
'ransom_paid': 'no'},
'recommendations': ['Enhance endpoint detection and response (EDR) '
'capabilities',
'Implement stricter network segmentation between '
'departments',
'Deploy adaptive security tools (e.g., behavioral WAF, '
'scrubbing services)',
'Conduct regular security awareness training (to prevent '
'SEO poisoning attacks)',
'Test and validate backup integrity and recovery '
'procedures',
'Monitor dark web for potential data leaks post-incident',
'Coordinate with federal agencies (e.g., CISA) for '
'cybersecurity support'],
'references': [{'source': 'Nevada State Government Post-Mortem Report'},
{'source': "Governor Joe Lombardo's Statement"}],
'response': {'communication_strategy': ['public post-mortem review',
"governor's statement emphasizing no "
'ransom payment',
'ongoing monitoring and updates'],
'containment_measures': ['isolation of affected systems',
'coordination with 60+ state agencies',
'prioritization of payroll system '
'restoration'],
'enhanced_monitoring': 'planned for future hardening',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'network_segmentation': 'planned for future hardening',
'recovery_measures': ['system hardening',
'network segmentation between departments',
'wider deployment of security tools'],
'remediation_measures': ['restoration from backups (90% of data '
'recovered)',
'review of remaining 10% of data on '
'risk-basis',
'notification of affected former '
'employee'],
'third_party_assistance': ['FBI',
'Mandiant',
'Department of Homeland Security',
'multiple vendors (unnamed)']},
'stakeholder_advisories': ['Coordination with 60+ state agencies',
'FBI and DHS assistance',
'Vendor engagement for recovery'],
'title': 'Ransomware Attack on Nevada State Government Systems',
'type': 'ransomware',
'vulnerability_exploited': ['human error (employee downloading malware-laced '
'tool)',
'inadequate endpoint protection (Symantec '
'Endpoint Protection failed to fully remediate '
'backdoor)',
'lack of network segmentation (allowed lateral '
'movement)',
'weak backup protection (backups were deleted by '
'attacker)']}