How a ransomware gang encrypted Nevada government's systems

The State of Nevada has published an after-action report detailing how hackers breached its systems to deploy ransomware in August, and the actions taken to recover from the attack.

The document is one of the few completely transparent technical report from a federal government in the U.S. on a cybersecurity incident, describing all the steps of the attacker and setting an example on how cybersecurity incidents should be handled.

The incident impacted more than 60 state government agencies and disrupted essential services, from websites and phone systems to online platforms. 28 days later, without paying a ransom, the state recovered 90% of the impacted data that was required to restore affected services.

In a report today, the State of Nevada details with full transparency how the initial compromise occurred, the threat actor's activity on its network, and the steps taken after detecting the malicious activity.

Ransomware attack unfolding

Although the breach was discovered on August 24, the hacker had gained initial access on May 14, when a state employee used a trojanized version of a system administration tool.

According to the report, a State employee searched Google for a system administration tool to download and was instead shown a malicious advertisement that led to a fraudulent website impersonating the legitimate project.

This fake website offered a malware-laced version of the admin utility, which deployed a backdoor on the employee's device.

Threat actors have increasingly begun to use search advertisements to push malware disguised as popular system administration tools, like WinSCP, Putty, RVTools, KeePass, LogMeIn, and AnyDesk. However, malware is installed instead of the desired program, giving threat actors initial access to corporate networks.

As these tools are designed for system administrators, the threat actors hope to gain elevated access on the network by targeting these IT employees.

Once executed, the malware configured a hidden backdoor that automatically connected to the attacker’s infrastructure upon user login, providing them with persistent remote access to the state’s internal network.

On June 26, Symantec Endpoint Protection (SEP) identified and quarantined the malicious tool, and then deleted it from the infected workstation, but the persistence mechanism resisted, and hackers could still reach the environment.

On August 5, the attacker installed a commercial remote-monitoring software on a system, which enabled them to perform screen recording and keystroke logging. A second infection with that tool occurred ten days later.

Between August 14 and 16, the attacker deployed a custom, encrypted network tunnel tool to bypass security controls and established Remote Desktop Protocol (RDP) sessions across multiple systems.

This type of remote access allowed them to move laterally between critical servers, including the password vault server, from where they retrieved credentials of 26 accounts, then wiped event logs to hide their actions.

Mandiant's incident response team confirmed that the attacker accessed 26,408 files across multiple systems and prepared a six-part .ZIP archive with sensitive info.

The investigation found no evidence that the attacker exfiltrated or published the data.

On August 24, the attacker authenticated to the backup server and deleted all backup volumes to disable recovery potential, and then logged into the virtualization management server as root to modify security settings to allow the execution of unsigned code.

At 08:30:18 UTC, the attacker deployed a ransomware strain on all servers that hosted the state’s virtual machines (VMs).

The Governor’s Technology Office (GTO) detected the outage roughly 20 minutes later (01:50 AM), marking the start of the 28-day statewide recovery effort.

Paying overtime, not a ransom

The State of Nevada maintained a firm stance against paying ransom and relied on its own IT staff and overtime payments to restore the impacted system and services.

Cost analysis shows that the 50 state employees worked a total of 4,212 overtime hours, incurring a wage cost of $259,000 to the state.

This response allowed timely payroll processing, kept public safety communications online, and quick re-establishment of citizen-facing systems, and saved the state an estimated $478,000 when compared to standard ($175/hour) contractor rates.

The costs for external vendor support during the incident response period amounted to a little over $1.3 million, and are broken down in the table below.

Vendor Service Provided Obligated Cost

Microsoft DART	Unified Support & Infrastructure Rebuild	$354,481
Mandiant	Forensics & Incident Response	$248,750
Aeris	Recovery & Engineering Support	$240,000
BakerHostetler	Legal & Privacy Counsel	$95,000
SHI (Palo Alto)	Network Security Services	$69,400
Dell	Data Recovery & Project Management	$66,500
Other IR Vendors	Various Support Services	~$240,069

It should be noted that the ransomware actor has not been named. BleepingComputer did not see any major gangs claiming the intrusion on extortion sites.

The incident demonstrates Nevada’s cyber-resilience, comprising decisive and swift “playbook” action, and also brought up a level of transparency that is commendable.

Despite the recovery costs and effort, the State of Nevada has also improved its cybersecurity defenses at the advice of trusted vendors.

"The GTO focused on securing the most sensitive systems first, ensuring that access was limited to essential personnel," the report notes.

Some of the technical and strategic actions included removing old or unnecessary accounts, resetting passwords, and removing outdated security certificates. Additionally, system rules and permissions were reviewed to ensure that only authorized users have access to sensitive settings.

However, the state admits that there is plenty of room for improvement and realizes the importance of investing in cybersecurity, to improve monitoring and response capabilities in particular, as threat actors also evolve their tactics, techniques, and procedures.