In August, 2025, the state government of the state of Nevada was brought to its knees by the biggest ever ransomware attack, with the provision of crucial services being grounded for weeks on end.
The fall of 2025 saw the Nevada state government fall victim to cyber attackers, who used the same common error made by the state employee to install the ransomware on the state’s IT system, paralyzing vital state services. A review of the entire incident revealed the incident began in mid-May, with the state employee downloading an infected administration tool from the mimic site, thanks to the heavy-handed help of malicious search engine optimization, with the baneful effect of paid Google ads on the user, who was misled into downloading the tainted software. The secret was kept for long, allowing the hacker to hide in the system, secretly gathering usernames until the state of Nevada was alerted about the incident on the 24th of August.
The Attack: What Happened?
A Nevada employee initiated the intrusion on May 14 by downloading a fraudulent system tool laced with malware. Although the malware was quarantined by the state’s antivirus in late June, it had already installed a persistent backdoor. In the following weeks, the attacker escalated privileges, deploying remote access tools to record keystrokes and screen activity across multiple state systems. By mid-August, the hacker moved laterally through encrypted channels and Remote Desktop Protocol, eventually reaching the state’s password vault. The intrusion exposed credentials of 26 users and compromised over 26,000 files, though only one contained personal data. The breach was finally detected on August 24, prompting a statewide emergency response.
The August 2025 ransomware attack forced dozens of Nevada state offices to halt operations. Many agencies including the DMV, health, and public safety departments temporarily closed or restricted services. Residents faced widespread disruptions: driver’s license processing stopped, background checks were unavailable, and state payroll ran on backup systems. In total, 60 state agencies were affected, making it one of the largest statewide ransomware incidents to date.
No Ransom Paid But Recovery Came With a $1.5 Million Price Tag
The response was also guided by Governor Joe Lombardo and the state CIO, Timothy Galluzi, who made clear the state would pay no ransom, crediting disciplined planning and collaboration for their fast incident recovery. Looking at the numbers, Nevada was able to recover 90% of the compromised data from backup sources, with just four weeks required before all IT systems fully operationalized again, according to the state’s own “after-action” report – an extremely rapid incident response given the magnitude of the event itself.
To lay out the financial specifics, the state spent only four weeks recovering from the event, requiring just 4,212 overtime hours from state staff, along with another 4,212 hours from contracted work, for just over $210,000, with another $1,300,000 paid out to “specialty partners” ranging from forensic analysts to “rebuild” teams, according to the state’s own cyber insurance plans.
“Our state’s proactive response, inclusive of the hard work from the state’s own IT personnel, working extended hours with numerous other firms, including Mandiant, Microsoft’s DART, Dell, Palo Alto Networks, Aeris, among others, enabled the state to effectively circumvent the costly process,” the state explained, going on to observe that “by working with the state’s own human capital, we actually saved the state well over some hundreds of thousands of dollars that even the lowest-costing fully subcontracted process would have otherwise required.”
Notably, the attackers received no payment from the state of Nevada. The Nevada technology department chose not to bargain with the attackers but instead relied on insurance coverage to remove the malware created by the attackers, according to the official report on the incident, which highlights the fact that the state “never seriously” considered the attacker’s request for payment. Governor Lombardo conveyed the state’s refusal to pay the attackers in the following way: “Our teams protected core services, paid our employees on time, and recovered quickly — without paying criminals”.
Lessons Learned and Future Safeguards
“The Nevada event illustrates how important cybersecurity best practices are for the state’s agencies,” said Brian Uzepyl, solutions architect for state, local, and medium business for Microsoft, in an interview with the EDN editorial staff.
The plan is outlined in the officials’ “After Action Report,” which calls for the following, among other steps, in order to improve state defenses: “The state of Nevada will establish a centralized Security Operations Center, implement unified endpoint EDR solutions, improve identity and access management, implement the principle of least privilege for users, and provide cybersecurity training throughout the state, so that an attacker cannot easily move from system to system, reduce the number of resources available to an attacker, or speed the time to detect an attacker,” according to the “After-Action Report” plan.
Nevada will also “use funds allocated from the U.S. government or from vendor contracts to rapidly involve trusted partners whenever the state faces another future event,” according to the “After Action Report” plan. Yet, according to IT professionals, many of these recommended improvements had long been regarded as best practices in the industry already. All along, IT security advice had recommended the centralizing of surveillance, network segmentation, and EDR protection, all of which are beneficial in the early detection of intrusion attempts. However, the experiences of the state of Nevada are one of the best illustrations yet of why these are necessary, aside from their importance in real-time containment solutions aimed at halting malicious code on arrival on the system.
Zero-Dwell: Prevention Over Cleanup
Nevada’s ransomware crisis proved one thing — prevention always costs less than recovery.
Traditional security tools detect and react after a breach begins. Xcitium’s Zero-Dwell Containment stops it before it starts.
Every unknown file is instantly isolated in a secure virtual container — allowed to run, tested, and even misbehave — without ever touching real data or systems.
If ransomware tries to launch, it’s contained and neutralized instantly. The result?
No ransomware. No damage.
We call it Zero-Dwell — because there’s zero delay, zero damage, and zero dwell time for threats to act.
