Nevada suffered a ransomware attack in August 2025 that caused a significant disruption in services. The attackers deleted the state’s backups, encrypted virtual machines, and deployed ransomware that affected 60 state agencies, including the Departments of Health and Human Services, Public Safety, and Motor Vehicles.

Despite the significance of the attack,  Nevada refused to pay the ransom and was able to recover 90% of its data within 28 days of the attack, which is remarkable and attributed to the 4,200 hours of overtime logged by state employees.

The incident is reported to have been caused by one employee who “unknowingly downloaded malware from a spoofed website” some time in May 2025. The incident was discovered in August 2025. The employee “downloaded ‘a malware-laced system administration tool’ twice from a fraudulent website that had made itself visible through a search engine optimization poisoning campaign, in which the website enjoyed a higher-than-usual ranking in search results. The fake website’s seeming authenticity was also boosted…by the threat actor’s use of legitimate Google ads.”

The threat actor was able to “configure a backdoor…to use to access state systems each time the associated user logged on.” The attacker then installed remote monitoring software, including keyloggers and screen-capture software to compromise the accounts of standard and privileged users. The threat actor then used Remote Desktop Protocol to move across the systems “accessing sensitive directories and even the password vault server.”

The threat actor obtained credentials of 26 accounts and accessed over 26,000 files, including “exposing more than 3,200 files.” One document contained sensitive personal information.

Despite the herculean efforts of state employees to respond to the incident and recover 90% of the data, the attack was “highly disruptive” to the state’s operations, and cost it at least $1.3 million, not including further investments in its cybersecurity posture.

All this from one employee’s click on a malicious website…which is the point of this post. Threat actors are putting fake websites on the internet daily to trick users into clicking on malicious sites to attack the user’s employer’s system—in this case, the state of Nevada. It can be very difficult to identify a malicious website and one user can cause a very disruptive and expensive incident. It is important to remain vigilant and cautious when clicking on websites, even if they pop up in a Google or other search engine result. Just because they pop up, doesn’t mean they are legitimate.

Here is a great article to assist with detecting malicious websites that is worth the read.  The tips may assist in preventing future attacks.