1 Click on a WinSCP Ad = 4000 Hours of Overtime, a Month Without Connectivity, and Proof Google Sells Ad Space to Hackers
Restoring critical services took weeks of titanic effort.
Restoring critical services took weeks of titanic effort.
Authorities in the US state of Nevada have published a technical report providing a complete breakdown of a large-scale attack that resulted in state systems being encrypted by ransomware. The document details the attackers' actions, the stages of the breach, and the measures taken to restore operations.
This publication is a rare example of a transparent approach to an incident that affected more than sixty agencies and halted digital and telephone services. The recovery took almost a month, and despite the serious consequences, no ransom was paid—nearly all the data needed to restart services was recovered through the efforts of their own specialists.
The initial infection occurred on May 14th when an employee of one of the agencies downloaded a fake version of a system utility from a malicious website disguised as the official one. The link was placed in a search engine advertisement, and instead of the required software, a program providing remote access was installed on the device.
This method is becoming increasingly common—malware disguised as popular legitimate utilities like WinSCP, Putty, KeePass, or AnyDesk is distributed, subsequently providing access to corporate networks with elevated privileges. In this case, the malware would re-establish a connection to the command-and-control server every time the user logged in, allowing the attackers to maintain a presence in the system even after the initial file was deleted by antivirus software.
By the summer, the attackers had installed commercial remote monitoring software on the compromised host, which allowed them to record the screen and intercept keyboard input. Later, they deployed their own tool to create an encrypted tunnel within the infrastructure—this allowed them to bypass security mechanisms and begin actively spreading through internal systems. Specifically, credentials from twenty-six accounts, including those with access to the password vault, were obtained via RDP. To hide their tracks, event logs were deleted.
The response team from Mandiant confirmed access to over twenty-six thousand files, including sensitive information, but no evidence of exfiltration or public release was found. However, on August 24th, the attackers deleted backup copies and then changed the hypervisor settings, opening the possibility of launching unsigned components. At 08:30 UTC, the deployment of ransomware began, affecting all servers with virtual machines. Just twenty minutes later, employees of the Office of Information Technology registered the outages and began recovery efforts.
The state's fundamental position was a refusal to make any payments to the criminals. Instead, internal resources were mobilized—50 employees conducted over four thousand hours of overtime work, costing the budget $259,000, but allowing for the rapid restoration of critical functions, including payroll systems and communication systems for emergency services. External contractors were brought in for support, including Microsoft, Mandiant, Aeris, the law firm BakerHostetler, and others. The total value of the contracts was approximately $1.3 million.
Although the criminal group's name has not been disclosed and no major ransomware group has claimed responsibility, the incident stands as a significant example of rapid response. The report emphasizes that one of the top priorities after the attack was strengthening the defense of the most sensitive systems. Obsolete accounts were removed, passwords were reset, and certificates and access rights were reviewed. At the same time, the authorities acknowledge the need for further investment in cybersecurity, particularly in monitoring and rapid response, as attacker methods continue to evolve.
