The Nevada government has released a rare, fully transparent technical report on how hackers infiltrated state systems, remained hidden for nearly three months, and then encrypted the servers of all state agencies. Despite the scale of the incident, the state did not pay the ransom and recovered 90% of critical data in 28 days. The investigation revealed that the entry point was a Trojanized version of a system administration tool that an employee downloaded through a fake Google ad. The malicious utility installed a hidden backdoor that automatically connected to the attackers’ infrastructure every time the user logged in.
Although Symantec’s antivirus later deleted the infected file, the persistence mechanism remained, and the hackers maintained access to the network. They then:
installed commercial RMM software for keylogging and screen recording;
deployed an encrypted tunnel to bypass controls;
started RDP sessions on critical servers, including the password vault server;
stole 26 accounts, wiped logs, and created an archive of 26,408 files;
gained access to the backup server and deleted all backups;
modified the hypervisor settings to run unsigned code.
On August 24 at 08:30:18 UTC, the attackers launched ransomware on all hosts containing government virtual machines — disabling websites, phones, internal services, and online platforms for more than 60 government agencies.
The Governor’s Technology Office recorded the incident 20 minutes later, after which a 28-day recovery process began.
The state did not pay the ransom in principle. Instead, they relied on their own specialists: 4,212 hours of overtime cost $259,000 — and this saved about $478,000 that would have gone to external contractors.
At the same time, the services of external teams were still involved:
Microsoft DART — $354,481
Mandiant — $248,750
Aeris — $240,000
Others — a total of more than $1.3 million
Despite the scale of the attack, investigators found no signs of exfiltration or data publication.
The attack in Nevada is a classic case of malvertising-compromise: fake Google Ads, administration tools with Trojans, and further penetration into the domain. In recent years, hackers have increasingly actively used fake copies of WinSCP, PuTTY, RVTools, LogMeIn, AnyDesk, and KeePass to gain privileged access.
The value of this report is in its complete transparency. The government does not hide the attacker’s steps, the timing, the penetration routes, and its mistakes. This is a rare example of open cybersecurity practices at the state level.
The Nevada incident shows that:
a simple Google query can be a weak point;
even after the malicious file is deleted, persistence can remain;
deleting backups is a typical tactic of modern ransomware groups;
not paying the ransom is a realistic strategy if there is a competent team;
transparency after the incident is the best investment in the state’s cyber resilience.
The state has already conducted a total cleanup of accesses, a mass reset of passwords, the removal of outdated certificates, and an update of control rules — recognizing that additional investments in monitoring and response are needed.
