Locked Out: The Nevada Government’s Battle Against Ransomware

The State of Nevada recently released a comprehensive after-action report detailing the cyberattack that led to the deployment of ransomware on its systems in August. The report outlines the breach, the recovery efforts, and the lessons learned from the incident.

This transparent report is a rare insight into the workings of a cybersecurity incident in a federal government in the U.S., setting a standard for handling such incidents in the future.

The ransomware attack affected over 60 state government agencies, disrupting essential services such as websites, phone systems, and online platforms. Despite not paying the ransom demanded by the attackers, the state was able to recover 90% of the impacted data within 28 days, allowing for the restoration of affected services.

In its latest report, the State of Nevada provides a detailed account of how the cyberattack unfolded, from the initial compromise to the recovery process.

The Initial Compromise

The breach was discovered on August 24, but the hackers had gained access to the system on May 14 when a state employee unwittingly downloaded a trojanized version of a system administration tool.

According to the report, the employee searched for a system administration tool on Google and was led to a malicious website posing as the legitimate project. The fake website offered a malware-infected version of the admin utility, which installed a backdoor on the employee’s device.

Threat actors have increasingly used search advertisements to distribute malware disguised as popular system administration tools, targeting IT employees to gain access to corporate networks.

The malware created a hidden backdoor that connected to the attacker’s infrastructure, providing them with persistent remote access to the state’s network. Despite attempts to remove the malware, the attackers maintained access and continued their malicious activities.

On August 5, the attackers installed remote-monitoring software on a system, allowing them to record screens and log keystrokes. They also deployed a custom encrypted network tunnel to bypass security controls and establish Remote Desktop Protocol (RDP) sessions across multiple systems.

The attackers accessed thousands of files and prepared sensitive information for exfiltration. However, there is no evidence that the data was stolen or published.

On August 24, the attackers deployed ransomware on all servers hosting the state’s virtual machines, leading to a widespread outage that triggered a 28-day recovery effort.

Recovery Efforts

The State of Nevada opted not to pay the ransom and instead relied on its IT staff working overtime to restore the impacted systems and services. This decision saved the state an estimated $478,000 compared to hiring external contractors.

The state incurred costs for external vendor support during the recovery period, including services for unified support, forensics, incident response, recovery, legal counsel, network security, data recovery, and project management.

Despite the financial and operational challenges, Nevada’s cyber-resilience and transparency throughout the incident are commendable. The state has since enhanced its cybersecurity defenses based on recommendations from trusted vendors.

The report emphasizes the importance of investing in cybersecurity to enhance monitoring and response capabilities as cyber threats continue to evolve.

As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.

Download our free cheat sheet outlining 7 best practices for securing MCP services.

Download Now

See also  Security Threat: Chrome Extensions Exploiting Enterprise HR Platforms for Credential Theft