The State of Nevada proves its cyber resilience with ransomware recovery in just 28 days

CIO Timothy Galluzi credits practiced incident response and trusted partners for fast recovery

With more than 3 million residents and a further 50 million visitors each year, the State of Nevada delivers services at a scale that demands resilience. But a complex federated IT structure, with a mix of IT maturity and capabilities across agencies, can complicate centralized security and recovery planning. In 2025, that reality was put to the test in one of the most serious cyber incidents ever to strike a US state government.

Timothy Galluzi, Executive Director & State Chief Information Officer, has spent roughly 25 years across IT and information security roles, including early experience in the Marine Corps. Leading statewide IT services and cybersecurity, he has focused on strengthening resilience through both technical modernization and governance alignment – the kind of preparation that proved critical when a ransomware incident hit in August 2025.

Training for the worst day before it happens

Prior to the incident, Galluzi had taken steps to ensure that IT could act as one team in a crisis – with shared expectations, clear decision paths, and responses that had been pressure-tested through tabletop exercises. That included tightening playbooks, practicing cross-functional coordination, and aligning on what would matter most if services went down.

Nevada’s relationship with global IT research and advisory firm Info-Tech Research Group played an important part in that preparation. The State had recently partnered with Info-Tech to review and refresh its incident response documentation so that roles, escalation paths, and recovery steps were current and actionable. Galluzi recapped, “Earlier in 2025, we wrapped up an engagement with Info-Tech to update all of our incident response playbooks. The timing was pretty good as far as refreshing all those documents.”

“Earlier in 2025, we wrapped up an engagement with Info-Tech to update all of our incident response playbooks. The timing was pretty good as far as refreshing all those documents.”

– Timothy Galluzi, Executive Director & State Chief Information Officer, State of Nevada

When the hypothetical becomes reality

While there is a clear distinction between readiness and reality, the team’s preparedness helped them move quickly when that first call came from IT operations. Galluzi recalled the moment: “When the chief of your computing services division calls you and says, ‘Hey boss, it’s ransomware,’ that call is an absolute punch in the gut.”

Within minutes, Galluzi notified the Governor’s office and confirmed executive priorities so the response and recovery could be guided by business impact, not just technical urgency. His team moved immediately to isolate the affected virtual machine environment and halt any lateral movement. “Our environment was built in a way that we could immediately segregate it from the rest of our infrastructure, and we were able to do that quite rapidly,” said Galluzi.

Strong foundations enabled communication and coordination

Years of investment in network infrastructure, cyber insurance, governance committees, and statewide identity management via Office 365 and Entra ID all fell into place to help the State maintain communication, mobilize resources, and coordinate recovery decisions across the federated environment.

One modernization decision in particular proved critical once isolation measures were in place: “Moving identities to the cloud with Entra ID – if that weren’t in place, we would have been absolutely dead in the water,” Galluzi explained. With cloud identity available even while on-premises components were impacted, the State retained the ability to coordinate, communicate, and prioritize recovery activities.

A phased recovery centred on the needs of Nevadans

Alignment between Galluzi and the Governor’s office helped prioritize the sequence of service restoration: life, safety, and critical citizen needs first, followed by core business functions. Despite the severity of the incident, Galluzi reports their network was down for only two days. From there, the State worked through a phased restoration across more than 60 agencies in just 28 days. Galluzi reflected, “Initially, we looked at 28 days as longer than what we had hoped for. But in retrospect, when we look at the complexity of our environment and how big it was, 28 days was incredibly fast to bring everything back up.”

As investigations progressed, the picture became clear. The breach traced back to a system administrator who had unknowingly downloaded a malicious tool via SEO poisoning, leading to credential theft and deletion of backups. Endpoint protection did not flag the threat until weeks later.

Behind-the-scenes partnerships made the difference

From network partners to the State’s cyber insurance provider, Galluzi drew on strong relationships that had been years in the making, including Info-Tech. He noted that while Nevada’s channels were filled with opportunistic outreach during the incident, “Info-Tech demonstrated the difference between a vendor and a partner. Info-Tech brought in the right resources, experts in the field, and our own Account Executive and Executive Partner, who were there for us to deliver on any request, as extensions of our own team.”

“Info-Tech demonstrated the difference between a vendor and a partner. Info-Tech brought in the right resources, experts in the field, and our own Account Executive and Executive Partner, who were there for us to deliver on any request, as extensions of our own team.”

– Timothy Galluzi, Executive Director & State Chief Information Officer, State of Nevada

That support extended beyond the immediate incident response, as Info-Tech helped Nevada document the incident and lessons learned. In a letter penned to Info-Tech leadership, Galluzi credited Info-Tech with helping the State craft “one of the most comprehensive, transparent After Action Reports (AAR) for a Cyber Security Incident ever published by a government.” He noted that Info-Tech’s work “set a new bar for governmental transparency for cyber incidents,” and that governments across the country are using the report to guide discussions on better defense and protection of constituent data.

The State of Nevada’s experience underscored the value of practiced preparedness, and they are using the incident to further strengthen their resilience. Galluzi acknowledged the importance of many partners during the incident, with grateful acknowledgment of the role Info-Tech played: “The State of Nevada is stronger and more resilient now because of you.”