What happened
A ransomware gang successfully penetrated the network of the State of Nevada government and encrypted critical systems across multiple agencies. The attackers deployed malware disguised as legitimate IT tools, establishing a persistent backdoor that allowed lateral movement across the network. They obtained credentials, disabled backups and logging, and eventually deployed ransomware to virtual machine hosts on August 24, 2025.
Who is affected
Roughly 60 state agencies were impacted, including departments handling public safety, health, and licensing services. The attackers compromised backup servers, virtualization hosts, and privileged account vaults. While investigators have not confirmed data exfiltration or public leaks, the attackers accessed over 26,000 files and wiped event logs to conceal their activity.
Why CISOs should care
This attack underscores how modern ransomware groups are using legitimate administrative tools to evade detection and gain persistent access within critical infrastructure. The fact that backups and virtualization hosts were targeted highlights a growing threat to recovery systems once considered secure. Even in the absence of confirmed data theft, the operational downtime, reputational harm, and recovery costs can be devastating. For CISOs, this incident is a reminder that security strategies must now extend beyond perimeter defenses to include resilient backup architecture, continuous monitoring, and airtight privilege management.
3 practical actions
- Validate backups and recovery processes – Ensure backup systems are isolated, regularly tested for integrity, and protected by strict access controls.
- Harden privileged access and monitoring – Apply least privilege, audit administrative accounts frequently, and monitor remote tool usage for anomalies.
- Segment and monitor lateral movement – Implement network segmentation between core infrastructure zones, detect unusual credential use, and protect event logs from tampering.