LAS VEGAS (KTNV) — Nevada is now in its seventh day under a ransomware attack that has paralyzed large portions of state government services.
The attack, first detected Sunday, August 24, 2025, has forced the shutdown of DMV branches, state agency websites, and phone lines, leaving Nevadans unable to access many essential services.
WATCH | Cybersecurity expert answers your questions on the statewide shutdown
Federal agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), are assisting Nevada in its recovery efforts as investigators work to determine who is responsible and how far the damage extends.
A first-of-its-kind attack
While ransomware attacks on individual government agencies are increasingly common, cybersecurity experts note that this is one of the first documented cases of a cyberattack effectively crippling nearly an entire U.S. state government.
Past incidents in places like Kansas and Colorado targeted single departments or local jurisdictions, but Nevada’s shutdown has stretched across multiple agencies, disrupting nearly all digital operations.
RELATED: Gov. Lombardo announces resources for Nevadans impacted by statewide cyberattack
“This would appear to be the first of its type done against a state,” said Dr. Gregory Moody, Lee Professor of Information Systems at UNLV’s College of Business and director of its Graduate Cybersecurity program. “So yay us, we get to be guinea pigs.”
Data theft and Nevada’s PII Law
Officials have confirmed that some data was exfiltrated by the attackers, but it remains unclear what was taken. Nevada law defines “personal information” narrowly: to qualify as a data breach, the stolen data must include a first name or initial paired with another identifier in unencrypted form, such as:
- Social Security number
- Driver’s license or state ID number
- Account or card number with security code
- Medical or health insurance ID number
- Username or email address with password/access code
Excluded are items like the last four digits of SSNs or information already public in government records.
RELATED: Answering your questions about the impact of the Nevada cyberattack
“It has to be the first name paired with another point of data and they have to all be unencrypted,” Moody explained.
This narrow definition may complicate breach notifications — but given the scale, experts warn lawsuits are still inevitable.
Large-scale ransomware attacks almost always trigger class-action lawsuits, and Moody predicts Nevada will be no exception.
“Whenever something of this size happens with this many people, there is going to be a class action lawsuit and several other suits that happen,” he said.
But bringing perpetrators to justice may be far harder. Many ransomware groups operate from countries where U.S. extradition treaties do not apply or where digital crimes are not recognized under local law.
“If you’re an attacker and you want to do this, there’s plenty of jurisdictions in the world where the U.S. cannot extradite anyone … or the country does not recognize digital crime as prosecutable,” Moody said.