Ransomware Attack on Nevada State Government via Malicious Admin Tool
A ransomware attack on the Nevada state government was enabled by a state employee's accidental download of a trojanized system administration tool from a fraudulent website in May. The attackers established a backdoor, conducted lateral movement, and infiltrated the state's password vault server over several months. By August, they had exfiltrated sensitive data, deleted backup volumes, and deployed ransomware, disrupting services at more than 60 state agencies, including health benefits, public safety records, and DMV operations. The incident forced critical systems offline for up to 28 days, with recovery efforts requiring a full rebuild of Active Directory and significant overtime from IT staff. The state did not pay a ransom, and most recovery costs were covered by cyberinsurance, totaling at least $1.5 million.
The after-action report from Nevada's technology office highlighted the attacker's use of search ads to distribute malware disguised as legitimate admin tools, a growing trend in initial access techniques. Despite the extensive impact, Nevada was commended for its accelerated response and transparency in reporting, restoring 90% of impacted data within a month. The incident underscores the risks of supply chain and user-driven compromises, as well as the importance of robust detection, backup, and identity management practices in defending against sophisticated ransomware campaigns targeting government infrastructure.
Sources
1 more from sources like the record media
Related Stories
Nevada Expands Zero Trust and Identity Modernization After Ransomware Attack
Nevada officials said a **major ransomware attack** prompted the state to accelerate cybersecurity and digital modernization efforts, with State CIO **Tim Galluzi** framing the incident as proof that resilience, workforce readiness, and governance must be built into daily operations rather than treated as one-time projects. The state subsequently secured unanimous legislative support and backing from the governor to invest in new cybersecurity tools and infrastructure intended to better protect resident data and critical government systems. Nevada's response emphasizes **zero trust architecture**, stronger **identity and access management**, and broader cross-agency coordination as part of a longer-term modernization strategy. Galluzi described identity as the "new firewall" in an environment where employees, partners, and residents increasingly access systems remotely, and he also highlighted workforce training as a core defensive measure alongside technology upgrades and improved service delivery.
Today
Ransomware and data-breach disclosures across education, critical infrastructure, and healthcare
Rome’s **La Sapienza University** shut down network systems as a precaution after a cyberattack caused widespread disruption and left its website offline; Italian media attributed the incident to a suspected ransomware operation linked to pro-Russian actor **Femwar02**, with reported tradecraft resembling **Bablock/Rorschach**-style fast encryption. Separately, Romania’s national oil pipeline operator **Conpet** reported a cyberattack that disrupted corporate IT and took down `www.conpet.ro` while leaving **OT/SCADA** and pipeline transport operations unaffected; **Qilin** claimed responsibility, alleging theft of nearly **1TB** of data and posting sample documents (including financial data and passport scans) to support extortion claims. In the U.S., government services contractor **Conduent** faced expanding breach impact from its January 2025 ransomware incident, with notifications indicating exposure potentially reaching **dozens of millions**; reported affected data includes **names, Social Security numbers, and medical/health insurance information**, with at least **15.4M** impacted in Texas and **10.5M** in Oregon per state disclosures. Additional healthcare-sector disclosures included a ransomware-linked intrusion at **Insightin Health** (unauthorized access in September 2025; **Medusa** claimed exfiltration of **378GB**) and a separate compromise at **Clinic Service Corporation** (August 2025 access window), while **Central Ozarks Medical Center** reported a criminal cyberattack affecting **11,818** individuals with exposure of PHI/PII (including SSNs and financial/insurance data). Other items in the set were not incident-specific: an **HHS-OIG** audit describing web application security weaknesses at a large hospital, and general guidance/education pieces on the value of medical records to attackers and **CISA** insider-threat guidance.
1 months agoBlackSuit Ransomware Attack on Global Manufacturer via Compromised VPN Credentials
A major global equipment manufacturer suffered a severe ransomware attack orchestrated by the BlackSuit ransomware group, also known as Ignoble Scorpius. The attack began with a vishing (voice phishing) campaign in which an attacker impersonated the company's IT help desk and convinced an employee to enter their VPN credentials into a phishing site. Using these stolen credentials, the attackers gained initial access to the corporate network. Once inside, they escalated privileges by executing a DCSync attack on a domain controller, allowing them to steal highly privileged credentials, including those of a key service account. The attackers then moved laterally across the network using Remote Desktop Protocol (RDP), Server Message Block (SMB), and tools such as Advanced IP Scanner and SMBExec to map the environment and identify valuable assets. Persistence was established by deploying AnyDesk and a custom remote access trojan (RAT) as scheduled tasks on domain controllers. The threat actors compromised a second domain controller and extracted the NTDS.dit database, which contains all user password hashes, enabling further credential compromise. Over 400 GB of sensitive data was exfiltrated using a renamed rclone utility. To erase forensic evidence and hinder incident response, the attackers deployed CCleaner before launching the ransomware payload. The BlackSuit ransomware was deployed using Ansible, resulting in the simultaneous encryption of hundreds of virtual machines across nearly 60 VMware ESXi hosts, causing widespread operational disruption. The attackers demanded a $20 million ransom, which the organization refused to pay. In response, the manufacturer implemented several security measures, including upgrading to newer Cisco Adaptive Security Appliance firewalls, enforcing multi-factor authentication, segmenting the network, deactivating NTLM, and restricting administrative access to isolated VLANs. The incident highlights the significant risks posed by social engineering and credential theft, as well as the sophisticated tactics used by modern ransomware groups. The attack demonstrates the importance of robust incident response, credential hygiene, and layered security controls to mitigate the impact of such breaches. The use of legitimate remote access tools and living-off-the-land techniques by the attackers complicated detection and response efforts. The exfiltration of large volumes of sensitive data prior to encryption underscores the dual extortion tactics now common among ransomware operators. The manufacturer’s refusal to pay the ransom and rapid implementation of enhanced security controls serve as a case study in post-incident resilience. The attack also illustrates the growing trend of targeting virtualization infrastructure, such as VMware ESXi hosts, to maximize operational disruption. Security researchers and incident responders continue to analyze the tactics, techniques, and procedures (TTPs) used in this attack to inform defensive strategies for other organizations.
5 months ago