Nevada Cyberattack Enters Sixth Week with Lingering Questions of Scope and Ransom

More than six weeks after Governor Joe Lombardo’s office announced a widespread cyberattack targeting the State of Nevada, residents remain largely uninformed about the extent of the damage or whether a ransom was paid to the attackers. While investigations of this magnitude are expected to take months, cybersecurity experts and political observers express concern that crucial information may be deliberately withheld.

The initial “cyber incident,” announced on August 24th, prompted the physical closure of all state agencies – including the Department of Motor Vehicles and social services offices – for a minimum of two days. As a “proactive and precautionary measure,” all state agency websites were simultaneously taken offline.

The disruption cascaded across essential services for weeks. The agency responsible for processing Medicaid, SNAP, and TANF applications reverted to paper-based applications. Mandatory background checks for firearm sales were suspended, effectively halting legal transactions for individuals without concealed carry permits. Critically, law enforcement databases containing criminal records and registered sex offender information became inaccessible, and businesses reliant on DMV databases – such as car dealerships and smog check stations – experienced significant delays.

Greg Moody, director of the cybersecurity program at UNLV, characterized the attack as “the largest state-focused attack in modern history,” a sentiment echoed by others in the cybersecurity community who described it as an unprecedented event.

On September 12th, the governor’s office reported that “90%” of public-facing state agency websites had been restored. However, no further updates have been provided since then.

As of Monday, a recovery update page maintained by the state displayed a banner declaring all state agency websites operational and announcing the end of further updates. The timing of this announcement remains unclear, and the governor’s office did not respond to a direct inquiry from the Nevada Current regarding the final restoration date.

“All major constituent-facing services are back online, and Nevada is operational again,” stated Josh Meny, the governor’s press secretary, in an emailed statement. Meny acknowledged ongoing “intermittent back-end issues” but attributed the majority of these to recent system enhancements designed to bolster cybersecurity, rather than the initial attack.

While some agency website features may remain unavailable, a comprehensive accounting of these issues has not been publicly released. According to Meny, “it may be challenging to precisely quantify the minor adjustments currently being implemented by agencies,” but the state “is actively compiling an inventory of these efforts.”

The governor’s office declined to provide further details regarding the cyberattack, including the amount of any ransom demanded or whether a payment was made. “The state remains committed to transparent communication and will share a final update once all efforts have been successfully completed,” Meny stated.

Moody from UNLV indicated that the lack of additional information is not surprising, given the ongoing investigation being conducted in collaboration with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the FBI. He explained that retracing electronic actions and preserving evidence for potential prosecution are time-consuming processes. “It makes the process go slower,” he added.

The state maintains that, to date, there is “no evidence of any constituent PII (personally identifiable information) being compromised” in the attack. However, Governor Lombardo previously stated that if investigators were to uncover evidence of a breach, the state would adhere to Nevada’s strict data breach notification statutes, promptly informing affected individuals and providing protective resources.

The state has confirmed that data was “exfiltrated” – removed from its systems – but has not disclosed the nature of that data. Moody noted that Nevada Revised Statute defines “personal information” narrowly, requiring a full or partial name in conjunction with another identifier, such as a driver’s license number or password. Encrypted data, he added, would likely not meet this definition, offering “some reasonable assurance” that attackers would be unable to access it.

Moody suggested that attackers may have obtained information that does not meet the state’s definition of PII, or that they were primarily assessing the state’s IT infrastructure for potential replication of the attack elsewhere. “Who knows,” he said, “Until we know the hacker and the motivation it’ll be hard to know what they were looking for.”

Governor Lombardo previously described the incident as a ransomware attack, suggesting a financial motive. While some states have enacted laws prohibiting the payment of ransoms, Nevada currently lacks such legislation.

“They could have cut a deal or paid a ransom,” said Michael Leonard, a former IT professional and publisher of Mike’s Reno Report. “‘Keep quiet and we’ll give you money.’” Leonard criticized the lack of transparency, acknowledging the need for a thorough investigation but emphasizing the state’s responsibility to demonstrate its commitment to resolving the issue.

Leonard suspects that the silence is motivated by both investigative concerns and political considerations. “I would say it’s equal motivation,” he stated, “To protect the reputation of government officials and elected officials.” He added, “There are unanswered questions and we should be asking them.”

With Lombardo facing reelection next year and considered a vulnerable incumbent, the timing of the attack is particularly sensitive. Attorney General Aaron Ford is currently viewed as the leading challenger, though he must first secure the Democratic nomination.

Democratic legislative leaders initially voiced criticism of Lombardo following the cyberattack but have since remained largely silent on the matter. Assembly Speaker Steve Yeager announced the formation of a legislative working group on cybersecurity on September 9th, but his caucus has not yet provided an update on its progress.