Recovery took 28 days. The ransomware attack was put in motion May 14, when an employee downloaded malware — a fake version of a common system administration tool — from a spoofed website. The bad actor used paid ads to boost the website, known as search engine optimization poisoning.
Details of the Nov. 5 report include that a requested ransom was not paid, and Nevada’s incident response plan was immediately put into place. State CIO Timothy Galluzi testified last month that the state was “heavily invested in cyber” and had $7 million in cyber insurance. Associated costs of the attack include 4,212 hours of overtime.
The report credits the state’s history of planning and practice with making recovery possible.
The investigation, which involved law firm BakerHostetler LLP and cyber firm Mandiant, revealed the initial intrusion enabled a back door for the attacker, who then moved through the system even after the malicious software was detected and removed. Twenty-six user accounts, including some at the administrative level, were compromised.
Backup data was deleted in the attack, extending the recovery period, and the state employed Dell Recovery Support. According to the report, 90 percent of the encrypted data was successfully recovered, and exfiltration wasn’t confirmed. Monitoring for that continues. Meanwhile, Microsoft worked with the state on Office 365 recovery.
OFFLINE EFFECTS
Some 60 state offices were impacted in the incident, including the Nevada Health Authority, whose employees used workarounds and reverted to paper processes.
Staff still distributed benefits including Supplemental Nutrition Assistance Program; Temporary Assistance for Needy Families; and the Women, Infants and Children program, which wasn’t disrupted due to the nature of how it is managed, leaders said during an Aug. 27 press conference.
The Nevada Department of Motor Vehicles cancelled at least two days of appointments but honored walk-ins. Its largest business partner is the Auto Dealers of Nevada, and they were unable to communicate online. The DMV waived late fees and expiration dates, and asked law enforcement to be lenient with those impacted by the outage.
According to the report, state employees and retirees were paid on time.
MOVING FORWARD
The report says that a state security operations center (SOC) is now under review, as is a unified endpoint detection and response system. Members of the GTO in October requested the release of State and Local Cybersecurity Grant Program funds to invest in additional security tools and continue University of Nevada, Las Vegas research about establishing a state SOC.
Legislative members of the Interim Finance Committee, which meets between legislative sessions, asked whether an SOC — for which funding was requested in 2023 and 2025 — would have prevented the attack.
“I think that more resources, especially in information security, are never a bad thing,” Galluzi testified on Oct. 16. “But with the resources we currently have, we were able to maintain this security incident as best we could. [There is] an opportunity to continuously diversify our security platform and look for opportunities to ensure our threat hunting, to look for additional ways to build the cybersecurity ‘layer cake,’ to build stability.”
