The State of Nevada has released its 2025 Statewide Cyber Incident After-Action Report, offering key insights into how the state’s cybersecurity team successfully navigated a major ransomware attack that impacted government systems earlier this year.
According to the report, Nevada’s cybersecurity specialists managed to recover approximately 90% of the encrypted data following a malware attack that took place in May 2025. However, the full extent of the attack was only recognized and identified in August 2025, after extensive investigation into the breach.
No Ransom Paid, Investigation Completed
In the report, the Nevada Government Technology Office confirmed that the state did not give in to the attackers’ demands for a ransom. The hackers, whose identity remains undisclosed, had demanded a sum in exchange for the decryption keys necessary to restore the stolen data. However, Nevada chose not to comply with these demands, opting to complete a thorough investigation first. By doing so, the state successfully avoided funding criminal activity and was able to focus on recovery efforts.
Nevada’s Governor Joe Lombardo made a statement underscoring the state’s achievement: “Nevada is proud to say that it not only recovered most of the encrypted data, but also managed to pay employees on time, without paying anything to criminals.”
The Fallout for Nevada Residents
Despite the success in data recovery, the impact of the attack was still deeply felt by residents of the state. The ransomware breach caused significant disruptions in key government services, including the processing of driving licenses and background checks. Many residents, particularly those starting new jobs, found themselves unable to complete essential requirements due to these delays. This caused a ripple effect of confusion and frustration, as new appointees were unable to begin their careers on time, leading to unnecessary chaos and administrative burdens.
How the Attack Happened: A Simple Mistake
The attack itself was the result of a phishing incident, where a state department employee inadvertently clicked on a malicious URL in an email. This seemingly innocuous mistake triggered the download of file-encrypting malware onto the state’s system, ultimately locking down critical data across several departments.
The report highlights that although the malware had severe consequences, Nevada’s cybersecurity team acted quickly to contain the threat and begin recovery operations. Their proactive planning and coordinated response played a crucial role in mitigating the full scope of the attack.
The Role of In-House IT and Strong Partnerships
A key factor in Nevada’s swift recovery was the state’s strong internal cybersecurity capabilities. The state benefited from having in-house IT professionals who were able to rapidly assess the situation, as well as from strategic partnerships with technology organizations that assisted in threat mitigation. This collaboration allowed Nevada to respond quickly and effectively to the attack, minimizing the disruption to state services and ensuring that critical functions like employee payroll remained unaffected.
Additionally, the Nevada Cybersecurity Task Force worked closely with federal agencies to investigate the source of the attack and determine the extent of the data breach. Their collective efforts helped reduce the potential damage and helped the state recover much of its data, including personal information and other sensitive files.
Recovery Costs and Cyber Insurance
While Nevada’s decision to avoid paying the ransom helped prevent funding criminal activity, the recovery efforts were not without cost. The state’s government paid for 4,212 overtime hours in labor, amounting to approximately $211,000. These costs were ultimately covered by the state’s cyber insurance policy, which helped offset the financial burden of recovery.
Despite the financial and operational disruptions, the overall response demonstrated Nevada’s resilience and commitment to protecting residents’ data and services. The state’s ability to continue paying employees on time, despite the attack, further highlights the effectiveness of its crisis management and recovery procedures.
Unanswered Questions: Was It a Double Extortion Attack?
While the report provides a thorough overview of the recovery process, one significant detail is left unaddressed: whether this was a double extortion attack. In a double extortion scenario, cybercriminals not only encrypt the victim’s data but also steal a portion of it before locking it down. The attackers then threaten to release or sell the stolen data on the dark web if the ransom is not paid.
The lack of mention regarding double extortion raises questions about whether this particular breach involved such tactics, a growing trend among ransomware gangs. While it’s possible that the hackers only encrypted the data, the silence on the issue leaves room for speculation about what sensitive information may have been compromised and whether it was subsequently leaked.
Looking Forward: Lessons Learned
In light of this attack, Nevada has reinforced the importance of cybersecurity awareness training for employees, ensuring that staff are better prepared to identify and avoid phishing threats. Additionally, the state continues to bolster its partnerships with private cybersecurity firms and invests in its internal cybersecurity infrastructure to prevent future attacks.
While the May 2025 ransomware attack was a major disruption, Nevada’s quick thinking, combined with its proactive security measures, ensured that the situation was managed as effectively as possible. The state’s recovery efforts serve as a model for other public entities grappling with the increasing prevalence of cyber threats in today’s digital age.
Join our LinkedIn group Information Security Community!
