Nevada ransomware shows why privileged access control failed

At a glance

What this is: This is an analysis of Nevada’s 2025 statewide ransomware incident and how privileged access gaps enabled escalation, lateral movement, and backup destruction.

Why it matters: It matters because IAM, PAM, and NHI teams need the same lesson: once privileged credentials are exposed, recovery cost and blast radius rise fast across human, machine, and administrative access.

By the numbers:

• The State of Nevada ultimately did not pay a ransom and was able to recover 90% of the impacted data required to restore affected services.
• The breach affected 60 state government agencies across Nevada.

👉 Read Keeper Security’s analysis of the Nevada ransomware incident and PAM controls

Context

Privileged access management is the discipline that limits who can reach high-value systems, when they can reach them, and what they can do once inside. In the Nevada incident, the security failure was not a single malicious click but the absence of effective privilege boundaries after the attacker gained an initial foothold.

For public sector environments, the lesson extends beyond one ransomware event. Human access, admin tooling, vault access, and server administration all sit on the same control plane when privileges are standing, over-broad, or easy to reuse. That makes PAM a resilience control, not just an access control.

Key questions

Q: What breaks when privileged access is too broad in a ransomware attack?

A: Broad privileged access turns a single endpoint compromise into cross-server movement, credential harvesting, and recovery disruption. Attackers can reach vaults, backups, and administration tools from the same trust zone, which makes containment slow and expensive. The practical fix is to shrink session reach and remove standing privilege before an incident tests it.

Q: Why do standing admin rights increase ransomware impact in public sector networks?

A: Standing admin rights let attackers reuse a live trust relationship after the first compromise. Once credentials are harvested or a session is hijacked, the attacker can move laterally, disable logs, and damage backups without needing a new exploit. That is why privilege duration and scope matter as much as authentication strength.

Q: How do security teams know whether PAM is actually reducing blast radius?

A: Look for evidence that privileged users cannot reach critical systems directly, that elevation expires automatically, and that every admin session is recorded. If one compromised workstation can still touch vaults, backup infrastructure, and multiple servers, the blast radius has not been reduced enough. Measure reach, not just policy coverage.

Q: Who is accountable when ransomware reaches backup and vault infrastructure?

A: Accountability sits with the teams that govern privileged access, recovery architecture, and administrative segmentation, not only with endpoint security owners. If backup deletion or vault access was possible from a compromised admin path, the governance model failed to separate control planes. That is a PAM and resilience issue, not just an endpoint issue.

Technical breakdown

Social engineering entry into an admin workstation

The initial access path began with a malicious advertisement that led a state employee to a spoofed website and malware download. That matters because the compromise did not require a novel exploit, only a trusted user looking for an administration tool and encountering an impersonation site. Once malware landed on the workstation, the attacker established a backdoor for remote control. The real weakness was the ability of that endpoint to become a staging point for privileged operations.

Practical implication: restrict software installation and browser-driven downloads on privileged workstations with endpoint privilege controls and application allowlisting.

Credential theft and privilege escalation through standing access

After initial access, the attacker escalated privileges and later harvested passwords from 26 accounts, including access to the password vault server. This is the classic failure mode of standing privilege: once a session or endpoint is compromised, cached or reusable credentials can be harvested and repurposed. In environments where admin rights persist, compromise on one system becomes identity compromise across many systems. The vault is not the control if its own access paths are overexposed.

Practical implication: remove standing admin rights, isolate vault access, and rotate privileged credentials so reused passwords lose value quickly.

RDP lateral movement and backup destruction

Between August 16 and August 24, the threat actor used RDP to move between critical servers, cleared logs to hide activity, deleted backups, and deployed ransomware across the virtual infrastructure. That sequence shows how weak session controls and broad server reach turn credential abuse into full operational impact. RDP was the bridge from access to enterprise-wide damage, and the backup deletion made restoration slower and more expensive.

Practical implication: broker privileged sessions through controlled gateways, record administrative activity, and segment backup systems away from general server administration paths.

Threat narrative

Attacker objective: The attacker aimed to convert one compromised endpoint into broad privileged access, then disable recovery paths and force statewide operational disruption.

1. Entry occurred when a state employee clicked a malicious ad and downloaded malware from a spoofed website, giving the attacker a backdoor into the environment.
2. Escalation followed when the attacker gained higher privileges, harvested passwords from 26 accounts, and reached the password vault server and other critical systems.
3. Impact came when the attacker cleared logs, deleted backups, and deployed ransomware across the state’s virtual infrastructure, disrupting services statewide.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Standing privileged access was the assumption that failed here. The Nevada attack shows what happens when privileged accounts are available long enough to be harvested, reused, and abused after initial compromise. Once the attacker reached the password vault server and 26 accounts, the environment no longer had an effective boundary between workstation compromise and administrative control. The implication is that privilege persistence, not just malware entry, is the governance failure public sector teams must design around.

Privileged access management becomes a resilience control when ransomware targets the admin plane. The report’s sequence, from social engineering to RDP movement to backup deletion, shows that operational continuity depends on limiting what a compromised operator session can reach. This aligns with OWASP NHI and NIST CSF thinking on access scope and containment, even though the subject here is human admin access rather than service identities. Practitioners should treat privileged session control as a ransomware containment layer.

Vaults do not solve exposure if their own access model is too open. Nevada’s attackers were able to reach a password vault server and retrieve credentials, which means the security model around the vault was weaker than the trust placed in it. That is a classic identity governance error: protecting secrets at rest while leaving the administrative path to those secrets overprivileged. The lesson is to govern the route to the vault as tightly as the secrets inside it.

Identity blast radius is the right concept for this class of incident. The damage was not determined by one compromised account alone, but by how far that account could travel once privilege and session controls failed. In public sector networks, blast radius grows quickly when admins can reach many servers, backups, and vaults from the same trust zone. Practitioners should measure how many critical assets one privileged session can touch before containment triggers.

Access reviews are not enough when the dangerous state is dynamic and session-based. The Nevada case involved live abuse, lateral movement, and rapid log tampering, which means periodic recertification would not have stopped the attack path. What matters is whether the programme can constrain, monitor, and revoke administrative reach in session, not merely attest to entitlement on paper. That shifts PAM from governance documentation to active control.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
• For a broader control lens, see Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs for how lifecycle discipline changes privilege exposure over time.

What this signals

Public sector ransomware now tests whether identity programmes can actually contain administrative reach, not just authenticate users. The governance gap is often not visibility but the ability of a single privileged session to traverse too many systems before containment kicks in.

Identity blast radius: the more systems a privileged account can touch from a single control zone, the more a ransomware crew can convert one compromise into recovery failure. Teams should assess reach to vaults, backups, and remote administration paths as a first-class risk metric.

For practitioners, the next step is to map administrative trust zones against recovery dependencies. If a compromised admin path can delete backups or access secrets, the programme needs segmentation and session control before the next incident proves the point.

For practitioners

• Remove standing administrative privilege from all operator accounts Grant elevation only for approved tasks and expire it automatically when the task ends. Prioritise accounts that can reach vaults, domain controllers, backup systems, and remote administration tools.
• Broker RDP and SSH through a controlled session layer Stop exposing direct remote administration paths across the environment. Force privileged connections through a gateway that records sessions, injects credentials, and limits where a session can go.
• Segment backup systems from routine administrative access Treat backup servers and backup repositories as recovery assets, not normal admin targets. Separate credentials, isolate management paths, and test that a compromised server admin cannot delete restore points.
• Restrict software installation on privileged workstations Block unapproved installers, malicious ads, and script abuse on endpoints used by administrators. Combine application control with local privilege management so one click does not become a persistent backdoor.
• Monitor for credential harvesting and log clearing together Alert on vault access, bulk authentication events, remote administration, and event log deletion in the same session. That combination is a stronger indicator of ransomware staging than any one signal alone.

Key takeaways

• Nevada’s ransomware case shows that a single social engineering click can become statewide disruption when privileged access is too broad.
• The evidence points to privilege escalation, credential harvesting, log clearing, and backup destruction as the control failures that mattered most.
• PAM that limits session reach, removes standing rights, and isolates recovery systems is the control most likely to reduce impact.

Key terms

• Privileged Access Management: Privileged Access Management is the discipline for controlling elevated access to systems, data, and administrative tools. It reduces the chance that a compromised user or device can move into high-value infrastructure, and it adds session control, credential rotation, and auditability around the most sensitive actions.
• Standing Privilege: Standing privilege is persistent elevated access that remains available until someone removes it. In practice, it gives attackers a larger window to reuse or abuse credentials after compromise, which is why temporary elevation is a stronger control model for both humans and non-human identities.
• Identity Blast Radius: Identity blast radius is the amount of damage one compromised identity can cause before containment. It depends on how many systems, secrets, and administrative paths the identity can reach. Smaller blast radius comes from tighter scoping, shorter access duration, and stronger session controls.
• Privileged Session Brokering: Privileged session brokering routes administrative access through a controlled gateway instead of exposing servers directly. It lets security teams inject credentials, record activity, and restrict lateral movement. This is especially useful when remote administration would otherwise become an easy path for ransomware.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Keeper Security covering the Nevada ransomware attack: Nevada’s ransomware wake-up call and the case for privileged access management. Read the original.