What Happened

In August 2025, Nevada's state government systems were compromised in a ransomware attack that had actually begun months earlier — in May 2025 — when an employee inadvertently downloaded malicious software. The breach went undetected for months before the ransomware was deployed, encrypting critical state systems and disrupting government operations.

The Cost

The state spent $1.5 million on recovery efforts, including incident response, system restoration, forensic investigation, and security improvements. This figure does not account for the full cost of operational disruption, lost productivity, or potential exposure of citizen data.

How It Started: Email Was the Entry Point

The attack began with a malicious email that reached an employee's inbox. Weak email security controls — including insufficient spam filtering and lack of robust email authentication — allowed the malicious payload to be delivered without being flagged or blocked.

Once the employee opened the attachment, attackers gained a foothold in the state's network. They moved laterally over the following months, mapping systems and escalating privileges before deploying ransomware.

What Would Have Helped

  • Enforced DMARC policy: Would have blocked spoofed emails from reaching inboxes
  • Proper SPF and DKIM: Would have authenticated incoming email and flagged suspicious messages
  • Email gateway filtering: Would have detected and quarantined the malicious attachment
  • Network segmentation: Would have limited lateral movement after initial compromise
  • Security monitoring: Would have detected anomalous activity during the months-long dwell time

Lessons for Government Agencies

Nevada's breach illustrates a critical pattern: most ransomware attacks begin with email. When email security controls are weak, attackers can deliver malicious payloads directly to employees. Basic email authentication — SPF, DKIM, DMARC — is free to implement and dramatically reduces the attack surface.