An August ransomware attack against the state of Nevada has been traced to a May intrusion, when a state employee mistakenly downloaded a malware-laced tool from a spoofed website, according to a forensic report the state released Wednesday.
State officials refused to submit to a ransom demand and recovered 90% of the impacted data after a 28-day recovery period. The state had insurance coverage and pre-negotiated vendor agreements, which factored into the decision not to pay a ransom.
“The threat actor deployed an attack aimed at taking state systems offline and left behind a note with instructions on how to recover the encrypted systems and data, in an attempt to extort the state,” Timothy Galluzzi, chief information officer and executive director of the Governor’s Technology Office, said in the report.
The attack impacted more than 60 agencies across the Nevada government, including critical services at the Department of Health and Human Services, the Department of Motor Vehicles and the Department of Public Safety.
The threat actor, whom the report did not identify, gained access to more than 26,400 files. Another 3,200 files were left exposed across multiple systems. The state incurred about $1.3 million in expenses related to recovery costs, as they engaged several major companies to help investigate and restore agency services, including Mandiant, Dell, Microsoft DART, Palo Alto Networks, Aeris and other firms.
The attack highlights the rising challenge for state and local governments to maintain resilience and continue providing essential services, including emergency response, public safety and healthcare.
The state employee downloaded the tool on May 14, which unleashed a hidden backdoor into the state’s computer systems and remained active until it was quarantined by Symantec Endpoint Protection on June 26.
The hacker installed remote monitoring software on a number of standard and privileged accounts and used remote desktop protocol to move across critical systems and access sensitive directories. Credentials from 26 accounts were stolen, and event logs were cleared to hide evidence of the unauthorized movement.
During the Aug. 24 attack, the threat actor deleted backup volumes, deployed the ransomware and encrypted virtual machines.
The investigation was not able to find any “definitive evidence” of files being successfully extracted or information being posted on a leak site, according to a spokesperson for the state. However, a file with data belonging to a prior state employee was confirmed stolen and that person will be notified.