Editor’s Note: This article appears in Governing’s Q2 2026 Magazine. You can subscribe here.
It didn’t seem like an emergency at first. Some of the machines at Nevada’s data center weren’t responding. These were important machines — they supported the private cloud environments used by many executive branch agencies — but a network outage “is not too uncommon for us,” says state CIO Tim Galluzi.
As the IT operations team investigated, however, it became clear that the problem ran deeper. They soon discovered that someone — or some software — had scrambled the data on the machines, making it unusable. This spelled disaster for a number of crucial government operations.
The IT team jumped into action, immediately enacting a response plan for this type of hack. An extortion note revealed the scope of the issue: Nevada’s state government had been hit with ransomware. This malicious software had encrypted, or scrambled, important data, downing systems used by a vast number of agencies. The attacker was demanding payment to make the data readable again (the state did not reveal how much ransom the hackers demanded).
The August 2025 attack affected more than 60 state agencies and would ultimately disrupt systems for 28 days. The ransomware actor accessed several critical servers, stole passwords to 26 accounts, accessed 26,000 files and deleted state backups.
Not only did the encryption disrupt services, but IT teams were also forced to shut down some systems so the malware couldn’t spread further. Veterans’ homes couldn’t use electronic medical charting; firearms purchases stalled when the state couldn’t access a system used to run background checks; and the Department of Motor Vehicles offices closed. Residents already enrolled in social safety net programs reportedly got benefits on time, but new applicants faced delays as the incident downed eligibility systems for the Supplemental Nutrition Assistance Program, Medicaid, crime victim support and other services.
The episode was a good example of just how costly ransomware attacks can be for state and local governments. The actual ransom — which some governments choose to pay — is only a slice of the expenses. Ransomware can prevent victims from accessing data, files or even entire computers, with attackers demanding money in exchange for explaining how to regain access, and sometimes, also in exchange for not publishing any data they’ve stolen. Revenue is lost every day that systems are offline, and staff is often forced to work overtime to switch everything to manual processes. Once the data is back, governments still need to ensure that their systems are truly malware-free and that their security is strengthened so they aren’t hit again, which could involve paying for consulting, new equipment and software. They also have to contend with the possibility that a hacker could leak any data they managed to steal.
This won’t be the last time a government suffers a major ransomware attack.
“By the numbers, a ransomware incident is the disaster that we are most likely to have,” says Rick Vanover, vice president of product strategy at data security company Veeam. “It’s more likely than earthquake, fire, flood, blood [or] hurricane.”
Cyber extortionists see schools, health-care and water systems as particularly valuable targets. Citizens depend on these services always being available, creating pressure to pay up, says Randy Rose, vice president of security operations and intelligence at the Center for Internet Security. The ransomware group that hit Atlanta in 2018, known as SamSam, has a reputation for selecting targets with the funds, and pressure, to give in to high ransom demands. (Cybersecurity professionals generally recommend against paying ransoms, but have often stopped short of calling for a national ban on paying.)
Attackers don’t always target a government directly. Many state, local and K-12 victims have been hit when hackers compromised a widely used third party to steal data about its government customers.
Nevada became compromised in May 2025, when an employee clicked on a spoofed website, a fake site created by hackers to mimic a real site. The employee downloaded a software tool that secretly contained malware, and, once it was on state systems, the tool installed a secret entry point that would allow the hacker to get onto state systems. (Among other steps, the state is now putting tighter limits around what tools employees can download.)
Ransomware actors can use complicated methods to hack victims, but they often don’t have to. Many governments still lack basic cyber hygiene, which means attackers can find easy ways in.
“Frustratingly — or maybe in ways that make clear that we still need to do more work — a lot of the methods for threat actors to get into systems and enable ransomware are the same as we’ve seen before,” says Michael Klein, senior director for preparedness and response at the Institute for Security and Technology. “There are more stealthy ways that people get in, but the vast majority of situations we see are those kinds of basic cyber hygiene challenges.”
An organization may simply fail to update and patch software, allowing hackers to find vulnerabilities and exploit them. That seems to be what happened to Baltimore in 2019, when the city suffered what analysts theorized was an opportunistic ransomware attack, launched by hackers scanning online systems for any ways in.
It’s also common for cyber attackers to obtain valid username and password combinations and simply log in to an organization’s network and devices. There are many ways this might happen: An employee could unwittingly install a malicious browser extension, which could then capture login information. Spoofed websites can also trick people into entering their logins, which are then stolen by the site. Employees sometimes reuse the same password both for official government accounts and personal accounts; if those latter details are exposed in a private company breach, hackers can use the passwords to access government systems.
Center for Long-Term Cybersecurity at UC Berkeley
“Oftentimes people are not even hacking in; they’re just logging in,” Klein says.
In 2018, Atlanta suffered a major breach when hackers forced their way into the city’s network, using an algorithm to automatically try different passwords until they hit on one that worked. As a result of the attack, many city computers couldn’t turn on for five days. Residents couldn’t pay tickets in person or online and couldn’t go online to pay water bills or business license fees. The municipal court had to process roughly 20,000 cases by hand and police had to handwrite incident reports. The city rejected the hacker’s demand for $50,000 worth of bitcoin, but recovery went on to cost the city $17 million.
Whether or not governments pay extortion, the ransom is sometimes the cheapest part of the ransomware attack. Far more expensive is the revenue loss while permitting systems are downed, consultant fees, equipment replacement and employee overtime.
Riviera Beach, Fla., for example, paid $600,000 to ransomware actors in 2019, then another $1 million to replace computers and hardware. Baltimore, which faced a $76,000 ransom demand in 2019, spent
$10 million to recover and saw roughly $8 million of revenue lost or delayed due to payment processing systems being down.
In Nevada in 2025, recovery teams worked 18- to 20-hour days. Fifty employees working nights, weekends and holidays logged a collective 4,200 hours of overtime. Fully loaded overtime costs totaled $259,000 — but that was still cheaper than outsourcing to consultants would have been. Additionally, the state paid $1.3 million for vendor help. The average state and local government cost of recovering from a ransomware incident in 2024 was $2.83 million.
Small local governments often take cyber seriously but may not have the money, training, staff or time in the day to do everything they’re supposed to (creating several backup copies of their data, for example).
“We don’t expect every town in America to stand up their own army to defend against Russia or China,” Klein says. “In the same way, we shouldn’t expect every county government to stand up its own cyber defense team to protect against professional criminal organizations operating from Eastern Europe.”
Federal support has dwindled. The White House cut the funding that had allowed a cybersecurity organization to offer free services and threat intelligence to help state and local governments defend themselves. Without that funding, the organization — the Multi-State Information Sharing and Analysis Center — has had to start charging membership fees. Nevada, for one, halted its membership thanks to the new costs.
The federal Cybersecurity and Infrastructure Security Agency (CISA) helps state and local officials prepare and defend against cyber threats, but is doing so at a reduced capacity in President Donald Trump’s second term. CISA lost roughly a third of its workforce in the first half of 2025. More recent budget proposals would make significant funding and personnel cuts, including fully ending CISA’s election security work and reducing the ranks of field advisers who help local governments improve defenses.
States have been looking to help local partners.
For South Dakota, that has meant equipping a team of cybersecurity experts from Dakota State University’s cyber labs with $7 million and a mandate to use that money by 2028 to help local governments upgrade defenses. The initiative — SecureSD — is a partnership between the university and attorney general’s office and is focused on cybersecurity training, email and data security, and finding and fixing vulnerabilities. About one-and-a-half years in, the program has helped 84 percent of the state’s counties and about 20 percent of the cities.
Local governments that opt to participate undergo assessments of their system vulnerabilities and cybersecurity practices. A major focus is helping local governments switch from commercial email accounts to .gov accounts, which are hosted in more secure government cloud environments. “A lot of our sheriffs and our police departments were sending evidence or case materials through Gmail and Hotmail, Yahoo and personal accounts,” says Mike Waldner, director of SecureSD.
The secure email system has features such as multifactor authentication and phishing tests. And it’s not just for email — SecureSD is helping local governments move all their data into the secure government cloud environment.
Several states have also been looking to help find, and respond to, cyber threats to local governments. After a 2019 ransomware incident hit 23 local governments simultaneously, Texas launched a regional Security Operations Center (SOC) pilot. The state opened its first regional SOC at a public university in 2023, with plans to eventually open one in each of the state’s 12 regions.
These centers offer 24/7 monitoring of digital infrastructure, seeking signs of a hack. If there’s an issue, the SOCs help respond. The services are free for local governments — they’re meant to help those struggling with old infrastructure, tight budgets and lack of security personnel. The SOC’s reach has grown from serving three local governments in May 2023 to serving over 100 “municipal cybersecurity clients” by February 2026. By that date, the university reported its SOC analysts were protecting roughly 40,000 computers and 75,000 networked devices.
Nevada recently followed suit. After the massive ransomware attack, Nevada’s Legislature unanimously approved a bill to create a statewide SOC. The SOC will monitor network traffic across state, county and municipal agencies.
And that’s not the only statewide approach Nevada is eyeing. It’s hoping to create its own statewide Information Sharing and Analysis Center to share threat intelligence and security tools with municipal partners.
Overall, better defense takes a whole-of-state approach, Galluzi says: “We can do so much more when we talk whole-of-state.”
