The Director’s Cut: Lessons from Nevada’s Ransomware Incident

The Director’s Cut: Lessons from Nevada’s Ransomware Incident

The State of Nevada's post-breach report offers a compact playbook for limiting ransomware damage and a warning that attackers often dwell for months. The breach began in mid-May when an employee unknowingly downloaded a network administration tool containing malware from an untrusted website. The malware bypassed defenses and created a backdoor. By late August, the attacker had moved through the network and deployed ransomware that locked systems.

The impact was broad. Sixty state agencies were affected, including health, motor vehicles, and public safety, with service disruptions lasting weeks. The attacker stole account credentials, accessed more than 26,000 files, and cleared logs to hide activity. Despite this, the State restored services in 28 days and recovered about 90% of impacted data, all without paying a ransom.

The preparations made by the CIO and his team mattered. A rehearsed incident response plan set the rhythm for decisions and communications, while pre-contracted partners mobilized quickly. Isolation steps curbed the attacker's movements in the short term, and in the following weeks, the state tightened essentials: stricter oversight of privileged accounts, stronger password protections, and controls that limited movement within the network by an intruder.

The State had $7 million in cyber insurance protection, which more than covered the direct response costs of $1.3 million. Paying a ransom and subsequent response and recovery work would likely have proven more expensive, highlighting that insurance is no replacement for readiness. Publishing lessons learned, as the State of Nevada chose to do, can also be beneficial in helping peers close similar gaps.

Question Directors Should Ask Management:

• How do we actively detect early signs of intruders, and what metrics demonstrate timely alerting, triage, and containment before an incident escalates?
• When was our incident response plan last rehearsed end to end? How often are processes for restoring data from offline backups tested? Do we have prearranged external legal and investigative response support?
• What controls actively limit our blast radius, and how do we test and verify their effectiveness under realistic attack scenarios?

On the Radar

Attackers Scale Espionage Operations with AI

Anthropic, maker of Claude AI, reported detecting and disrupting an AI-orchestrated espionage campaign in mid-September against about 30 organizations, according to BBC News. Operators posed as cybersecurity workers and used Claude to run small automated tasks that, combined, enabled reconnaissance, exploitation, data extraction, and triage. Researchers said they have high confidence the activity was linked to a Chinese state-sponsored group.

Targets reportedly included tech firms, financial institutions, chemical manufacturers, and government agencies. According to Anthropic, attackers used Claude's coding assistance to build a program that could autonomously compromise chosen targets with limited human oversight, then sort through stolen data. Anthropic blocked the accounts and notified affected companies and law enforcement. This activity is likely only the tip of the iceberg in terms of AI-fueled attacks and boards should anticipate a significant growth in this type of activity.

Question Directors Should Ask Management:

• Are we deploying AI-driven defenses to counter AI-enabled attacks?

Insider Threats: When Leaks Mimic Breaches

Security Week reports that an insider at CrowdStrike was terminated after sharing screenshots of internal dashboards with a criminal group, which then falsely claimed it had breached the company's systems and shared images online. The hackers claimed they paid $25,000 to the CrowdStrike insider for access to the company's systems. However, CrowdStrike stated its systems were not compromised, customers remained protected, and the case was referred to law enforcement. It is unclear whether the insider was an employee, contractor, or third-party consultant.

Insider-enabled leaks can fabricate the appearance of compromise, trigger market confusion, and hand useful operational detail to adversaries. Insider risk controls should measurably limit what any one user can see, capture, and exfiltrate, and directors should be clear on whether strong contractor governance, rapid offboarding, controls that restrict screenshots and data egress, and zero trust architecture are in place.

Question Directors Should Ask Management:

• Does management have processes to validate claims of hacks quickly with communications plans to prevent rumor-driven damage?