Overview
- The after-action report details how a state employee’s download of a malware-laced administration tool on May 14 installed persistent access that went undetected for months.
- By mid-August the attacker had installed monitoring software, moved laterally through encrypted tunnels, accessed the password vault server, and retrieved credentials from 26 accounts.
- Ransomware was deployed on Aug. 24, disrupting more than 60 agencies and shuttering key services including DMV appointments, background checks, and online social service applications.
- Officials report access to more than 26,000 files with over 3,200 exposed and note that data was staged for removal, yet they found no evidence of successful extraction or leaks and notified one person tied to the only staged file containing personal data.
- The state restored services in 28 days, recovered about 90% of affected data, declined to pay the ransom, spent roughly $1.3 million on vendors and about $210,000 in overtime, and engaged Mandiant two days after the attack with a confidential report delivered Oct. 10.