Was state of Nevada hit by a ransomware attack? ‘Symptoms line up’
Update: State offices enter third day of closure amid cyberattack
Officials confirmed Tuesday that the state of Nevada’s computer network was targeted in a cyberattack and is under active state and federal investigation as IT staffers work to restore service.
The announcement came Tuesday evening after government offices were shut down for two days; Department of Motor Vehicles offices are closed until further notice.
Gov. Joe Lombardo’s office has said there is no evidence yet that personal information was compromised in the cyberattack. But beyond that assurance, Nevada residents and state employees remain in the dark about exactly how or when the attack occurred and its possible impact on the security of state data.
“To protect internal systems during an active criminal investigation, the State is unable to provide technical details at this point,” the governor’s office said in the memo released Tuesday evening.
‘Symptoms’ point to ransomware
Before state officials confirmed the attack, cybersecurity experts said all signs pointed toward a cyberattack.
Gregory Moody, director of the UNLV Cybersecurity Program, said the state must eventually disclose if data was breached. In accordance with state regulation, the state also must disclose what data was compromised and how it happened, he said.
“We have no idea whether it was internal, external, malicious or not,” Moody said.
It’s standard practice to shut down systems when investigating a potential threat. It’s the easiest way to investigate and fix the issue, he said.
“Imagine you’re flying an airplane and an engine blows; it’s a lot easier to fix the engine on the ground than in the air,” Moody said. “So most times when there’s a problem, whether it’s malicious or not, you’d still land the airplane, take it offline, fix it, then you put it back up in the air.”
If the state was hit with a ransomware attack, governments are prohibited from negotiating with terrorists, including digital terrorists, Moody said.
Cameron Call, chief technology officer at the Las Vegas-based cybersecurity company Blue Paladin, said the state’s “symptoms definitely line up with a ransomware attack.”
A ransomware attack uses a type of malware that blocks users from accessing their own files and systems, typically by encrypting them, and then demands a ransom in exchange for a decryption key. Security experts typically advise against paying the ransom.
There are two likely ways a ransomware attack could have occurred: either with a phishing email or “unpatched software” put on a public-facing server, Call said.
State governments usually keep detailed backup records to recover from any attack, but it takes time to ensure the hacker is no longer in the system and to figure out how and when they got into the system in the first place, Call said.
Cybersecurity attacks have increased since the start of the COVID-19 pandemic, when people began working from home and it became easier to get people to fall for social engineering schemes, Moody said.
Minnesota has experienced a recent string of cyberattacks. One on July 25 crippled the computer systems of the city of St. Paul, according to media accounts. Critical law enforcement tools, such as laptops used in traffic stops and to share case information, were knocked offline, according to news site KSTP.com.
Police said the laptops were back in service after a week.
Interlock, a ransomware group on the dark web, had taken credit for the attacks. City leaders said the ransom was not paid.
What we know
Nevada’s incident was identified Sunday morning, when the Nevada Highway Patrol and Nevada State Police dispatch phone lines went down. They have since been restored, though in-person and online services remained unavailable into Tuesday.
Las Vegas FBI Public Affairs Specialist Sandra Breault confirmed Monday that the agency was aiding the state in the investigation but could not provide more information. Breault declined to provide additional information Tuesday.
Nevada is using temporary routing and operational workarounds to maintain public access where possible, according to the governor’s office.
The cyberattack does not affect Nevadans’ home internet or mobile phone services, according to the governor’s office.
In-person services at state offices were closed for a second day Tuesday, though “critical employees” remained working, according to the governor’s office.
A representative with the public employee union AFSCME Local 4041 said critical employees generally include workers in health care, Department of Transportation, IT, payroll and other positions like those considered “essential” during the COVID-19 pandemic.
Other workers are on paid administrative leave, the representative said.
The Nevada Department of Motor Vehicles said its offices will remain closed until further notice, according to a Tuesday afternoon post on X. It said all canceled appointments during the outage will be honored as walk-ins for a two-week period following reopening.
All in-person and online transactions, as well as kiosk transactions, are unavailable, with the exception of rapid registration and turbo titles. The DMV website was restored, the department said.
The Nevada Health Authority confirmed that existing Medicaid coverage and provider payments remain fully operational, according to the governor’s office. The outage does not affect existing Medicaid recipients’ ability to access covered medical care, and they can attend all scheduled appointments as usual.
For health care providers, claims and payments for services rendered to Medicaid recipients are being processed without delay, the governor’s office said.
University Medical Center CEO Mason Van Houweling said the incident has not disrupted patient care at UMC, the state’s largest public hospital. It has, however, affected UMC’s ability to complete the temporary Medicaid eligibility process for qualifying patients, Van Houweling said.
“In some cases, this is delaying patients from being discharged to post-hospital care settings,” he said in a statement. “UMC’s team members continue to screen patients for Medicaid eligibility and will process the applications once access is restored.”
North Las Vegas police said Tuesday the network outage affected its ability to access DMV records, but it is still able to enforce observed traffic violations.
The department’s ability to check national criminal record databases also has been affected, but it is able to use databases within its own jurisdiction.
Regarding voter data, the secretary of state’s office said its website and protected data are on separate infrastructure from the affected state systems.
Staff writer Mary Hynes contributed to this report.
What you can do
The Governor's Office has warned Nevadans to avoid scams, urging them to be cautious of unsolicited calls, emails and texts that ask for personal information or payments.
Cybersecurity experts urged Nevadans to watch their financial records for unusual transactions and check to see if their email was part of a security breach at the website haveibeenpwned.com.
