Nevada’s Ransomware Wake-Up Call: The Case for Privileged Access Management

The Governor’s Technology Office (GTO) of the State of Nevada recently released an “After Action Report” on the statewide ransomware attack that disrupted state systems for nearly one month in August 2025. The report details not only what happened but also the coordinated incident response from the GTO, vendors and law enforcement partners from local, state and federal agencies. This statewide cyber attack highlights the critical need for Privileged Access Management (PAM) to manage and secure access to highly sensitive systems and data.

What happened during the Nevada ransomware attack?

The State of Nevada first discovered the breach on August 24, 2025, when multiple virtual machines went offline, disrupting government websites, phone systems and online platforms across 60 state government agencies. Agencies such as the Nevada Health Authority had systems taken offline, requiring employees to use workarounds and revert to paper processes. Other agencies affected included the Nevada Department of Motor Vehicles, the Nevada Department of Public Safety and the Nevada Highway Patrol. The main state portal, NV.gov, and the Office of the Governor also had systems taken offline or degraded.

The breach was eventually traced back to a social engineering attack that occurred in May 2025, when a state employee searched for a system administration tool and unknowingly clicked on a malicious advertisement. By doing so, the employee downloaded malware from a spoofed website, and the malware installed a backdoor that connected to the attacker’s infrastructure, enabling unauthorized remote access. Although Symantec Endpoint Protection (SEP) detected and quarantined the malware on June 26, 2025, it was too late, and the attacker had already escalated privileges to move laterally through the state’s network. 

The report states: 

Between August 16 and August 24, the TA (threat actor) used RDP to move between critical servers, access multiple directories, files and servers—including the password vault server—to retrieve passwords from 26 accounts. The TA consistently cleared event logs to hide their activity.

On August 24, 2025, the attacker deleted backups of sensitive information and deployed ransomware across the state’s virtual infrastructure. The State of Nevada ultimately did not pay a ransom and was able to recover 90% of the impacted data required to restore affected services. However, in addition to overtime costs for state employees working to restore services, the state also paid over $1 million for external vendor support. The full scope of the stolen data remains under investigation. Nevada Chief Information Officer Timothy Galluzi shared in a press conference that some state data has been exfiltrated from the state’s system without authorization; however, it is unclear what type of data was stolen.

After the systems were recovered, the GTO made several changes to strengthen the state’s cybersecurity defenses. They secured the most sensitive systems first and ensured access was limited only to essential personnel. The team also reviewed system rules and permissions to prevent future unauthorized access, a crucial aspect of PAM.  

How KeeperPAM could have helped limit the attack

The cybercriminals sought elevated access to the state’s network by specifically targeting IT employees, knowing they were likely to have elevated privileges. While a PAM solution would not have stopped the user from clicking a link to a spoofed website, it could have blocked the malicious tool from installing and limited the scope of the attack by preventing the attacker’s lateral movement and access to vaults and servers after the initial entry. Here are some ways KeeperPAM would have helped:

1. Containing endpoint privilege escalation

When the malware was installed on an internal workstation, it gained administrative control by bypassing local endpoint protections. This type of escalation is common when users have excessive privileges or can install unapproved software.

Keeper Endpoint Privilege Manager (EPM) enforces least-privilege access by design. Users run as standard users, and applications requiring elevated rights must be explicitly approved. Policies can block untrusted installers, restrict PowerShell and scripting abuse and enforce approval workflows for privileged actions. Combined with audit logging and alerts, security teams gain visibility into every attempted elevation request. The fake IT tool that triggered Nevada’s breach wouldn’t have been installed without approval in the first place.

2. Eliminating standing privileges

KeeperPAM eliminates the risk of standing administrative privileges. Through Just-in-Time (JIT) access, KeeperPAM ensures that administrative credentials are available only when needed and only for as long as necessary. Users operate with standard rights by default, and when they require elevated permissions, those privileges are granted temporarily and automatically expire when their required task is complete.

KeeperPAM also provides automatic credential rotation that continuously changes admin and service account passwords. Even if a cybercriminal manages to obtain credentials, they become useless within minutes. In Nevada’s case, the malicious code would not have been able to harvest or reuse cached administrator credentials to move laterally across servers.

3. Preventing lateral movement

Once attackers gain entry, their next step is almost always lateral movement, hopping from one machine to another via RDP to reach high-value targets such as domain controllers or database servers. KeeperPAM would have significantly limited or outright prevented lateral movement in the Nevada attack, as the cybercriminals would not have been able to use RDP to move across systems.

Keeper Connection Manager, a core component of KeeperPAM, enforces zero-trust access to servers and databases. Rather than exposing RDP or SSH ports on the network, KCM brokers every session through a secure gateway. Credentials are injected directly from the encrypted vault. Users never see or handle the credentials, and all sessions are auditable and recorded. If Nevada’s attackers had tried to use stolen credentials for RDP or SSH lateral movement, their connections would have failed.

4. Protecting credentials

Nearly half of all breaches involve compromised credentials. Once inside a network, attackers often harvest cached passwords, tokens or local admin credentials to move across the network. KeeperPAM has a zero-trust and zero-knowledge architecture, which means all encryption and decryption occur locally on the user’s device. Rather than simply storing credentials, Keeper isolates, encrypts, rotates and injects them in a way that makes credential theft practically impossible.

• Secrets are encrypted locally and unreadable to anyone but the user
• Credentials are never visible, stored or reused on endpoints
• Admin rights are temporary and tightly controlled
• Passwords and keys rotate automatically
• Full audit logs ensure accountability and traceability

Even if the Nevada attackers reached a password management server, they would not have been able to decrypt or export any plaintext credentials.

5. Real-time monitoring and rapid containment

KeeperPAM delivers full visibility and control over privileged activity. 

• Every privileged session is recorded and logged for auditing and forensics
• Live session monitoring enables administrators to observe or terminate suspicious connections in real time
• KeeperAI can automatically analyze user activity, determining risk and terminating sessions when suspicious activity is detected
• Instant credential rotation and revocation can lock down compromised accounts with a single action
• Integration with Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) platforms allows automated alerts and response workflows

Had these controls been in place, Nevada’s security team could have quickly identified the unauthorized session, rotated credentials and contained the intrusion before data exfiltration occurred – or prevented the malware download altogether with RBI and EPM.

FedRAMP and GovRAMP Authorized for the public sector

Keeper Security Government Cloud (KSGC) is the version of KeeperPAM hosted in Amazon Web Services (AWS) GovCloud, which meets FedRAMP security and compliance requirements. AWS GovCloud is designed to host sensitive data and regulated workloads, supporting strict U.S. government compliance standards.

With KSGC, government agencies get a scalable, zero-trust PAM solution that continuously verifies every access attempt, regardless of location or device. Role-Based Access Controls (RBAC) and real-time monitoring enforce least privilege and deliver full visibility across all privileged activity.

Ready to learn more about how Keeper can help your organization protect against ransomware and meet zero-trust requirements? Request a demo of KSGC today.