Nevada completes 28-day recovery from statewide cyber incident; refuses ransom and releases After-Action Report

CONTACTSPress: Josh Meny, Press Secretary, Governor's Office - [email protected] Coordination: Elizabeth Ray, Communications Director - [email protected]: Governor's Technology Office (GTO) - [email protected]

The Governor's Technology Office (GTO) today released the 2025 Statewide Cyber Incident After-Action Report, detailing Nevada's 28-day recovery from an August ransomware attack. Guided by pre-established incident playbooks and vendor agreements, the State did not pay a ransom, restored statewide services within four weeks, and recovered approximately 90% of impacted data. The remaining items, while still in control of the State, were not required for service restoration and are undergoing risk-based review with continued monitoring; the State will take appropriate notification or remediation actions if new information emerges.

"Nevada's teams protected core services, paid our employees on time, and recovered quickly-without paying criminals," stated Governor Joe Lombardo. "This is what disciplined planning, talented public servants, and strong partnerships deliver for Nevadans."

"We executed, then communicated," stated State CIO Timothy D. Galluzi. "Our staff and agency partners worked around the clock with expert vendors to contain the threat, rebuild securely, and bring services back online in measured phases."

By the numbers

• 28 days to full service restoration across affected platforms
• ~90% of impacted data recovered; residual items under risk-based review with enhanced monitoring
• No ransom paid; response executed under cyber insurance and pre-negotiated vendor agreements
• 4,212 overtime hours by 50 State employees, at $210,599.87 direct OT wages (fully-loaded est. $259,037.84)
• $1,314,200 obligated to specialized partners (forensics, recovery, legal, engineering) to accelerate containment and rebuild

How Nevada stepped up

• Continuity of operations: Payroll processed on schedule; high-impact public safety and citizen-facing systems were restored in phased order.
• Speed and discipline: Around-the-clock State teams executed 24×7 playbooks alongside partners, enabling a 28-day full restoration-faster than many public-sector timelines for incidents of similar scope.
• Fiscal responsibility: Surge work was led by State staff. Even using conservative fully-loaded OT costs, the State avoided hundreds of thousands of dollars versus an all-contractor model-while retaining institutional knowledge and tighter change control.

Strategic vendor activation
Within hours, Nevada engaged pre-positioned experts for forensics, recovery, and legal/privacy support-including Mandiant, Microsoft DART, Dell, SHI/Palo Alto, BakerHostetler, and local engineering support from Aeris-under cyber-insurance and statewide contracts.

What's next
The AAR outlines next-phase hardening and modernization, including the pursuit of a centrally managed Security Operations Center (SOC), unified Endpoint Detection & Response (EDR), identity hardening, OS and application control, and expanded workforce training to sustain resilience against evolving threats.

Read the report:After-Action Report - 2025 Statewide Cyber Incident (PDF) -

About the Governor's Technology Office
The Governor's Technology Office (GTO) secures and modernizes statewide technology for the Executive Branch, delivering resilient, citizen-centric services through collaborative governance, disciplined project delivery, and robust cybersecurity.

###