By the time the State of Nevada noticed it had a ransomware problem in August 2025, the attackers had been inside for months. That’s not a typo. The intrusion was discovered in August. The forensics came back saying it had started much earlier.
Recovery took 28 days. Direct cost was over $1.5 million. Nevada’s teams handled it well — they recovered without paying the criminals — but the timeline is the part every Reno business owner should remember. Months of access. Quiet, patient, undetected.
This article is not here to scare you. It’s here to walk through what’s actually happening on small-business networks in 2026, what the controls look like that would have caught the dwell time earlier, and what the day-to-day routine of a well-monitored office looks like.
What the 2025 attack pattern actually looks like
Most ransomware in 2025 didn’t show up as a popup. It showed up as a stolen Microsoft 365 password, used quietly for weeks. The attacker logged in as a real user, read email, set up forwarding rules, and looked around. They mapped the network. They figured out where the backups were. They escalated to an admin account when one was sloppy enough to grab. Then — only at the end — they encrypted everything and asked for money.
The polite term for the quiet middle phase is dwell time. The Nevada incident is now a teaching example of how long that can stretch.
The defensive lesson is not “buy more antivirus.” It’s “watch for the quiet middle.” The boring monitoring jobs — looking at sign-in logs, watching for new mailbox forwarding rules, flagging sudden permission changes — are the ones that catch dwell time.
Why a 25-person Reno business is a good target
The cybersecurity industry’s annual breach reports keep saying the same uncomfortable thing: small businesses get breached at roughly four times the rate of large ones. Not because they have more valuable data. Because they have less monitoring.
A 25-person accounting firm in Reno with one part-time IT contractor has the same Microsoft 365 tenant, the same VPN, the same email-with-attachments problem as a Fortune 500. The difference is who’s watching the logs at 2 a.m.
Add to that: the Reno corridor — Tesla suppliers, the Tahoe-Reno Industrial Center, the warehousing growth along Highway 80, the medical and legal offices that grew with the population — all run on Microsoft 365 and a firewall, and most don’t have a dedicated security person. That’s the target profile.
The five things we watch every day
You don’t need to memorize this list. Your IT partner should be doing it for you. But it helps to know the moves so you can ask whether they’re being made.
Sign-in anomalies. Someone signing into Microsoft 365 from Reno at 9 a.m. and then again from a country they don’t live in at 11 p.m. is the most common ransomware tell. Conditional access rules block this in the moment; sign-in log review catches what slipped through.
New inbox rules and forwarding. Attackers who get into a mailbox almost always set up a rule that quietly forwards a copy of certain emails to an outside address, or moves wire-transfer-related mail to the deleted-items folder so the real user never sees the warning. We watch for new rules created and flag the ones that look wrong.
Endpoint behavior. Modern endpoint detection (EDR) doesn’t look for known viruses. It looks for what a process is doing — encrypting a lot of files quickly, talking to an unusual server, spawning PowerShell from a Word document. That’s the alert that wakes someone up.
Backup health. Backups that exist but haven’t been tested are not backups. We confirm every backup completed, run periodic test restores, and store a copy somewhere ransomware can’t touch. The Nevada teams recovered because their backups worked. That’s not luck.
Patching cadence. Ninety percent of the breaches in any given year exploited a vulnerability that had a patch available for more than thirty days. The fix is unglamorous: a Tuesday-night patch window, every week, every month, every quarter, forever.
What “calm” actually feels like
The day a 25-person Reno business has good security in place looks like this. Nothing happens. Nobody calls anyone. The owner doesn’t know that an employee tried to click a phishing link at 2:14 p.m. and conditional access blocked the sign-in attempt before they finished their coffee. The owner doesn’t know the firewall caught a probe from an IP block in Eastern Europe at 4:30 a.m. The owner doesn’t know any of it, because that’s the job.
The phrase the customers we work with use the most is peace of mind. Not “iron-clad security.” Not “zero trust.” Peace of mind. We’ll take that as the goal.
What to ask your current IT person
Three questions will tell you a lot.
First: “Show me last month’s sign-in log review.” If the answer is a blank look, that’s the signal.
Second: “When did we last do a test restore from backup?” The acceptable answer is a date in the last 90 days. The unacceptable answer is “we don’t really do that.”
Third: “What’s our patch compliance percentage right now?” A good answer is a number above 95 percent and an explanation of which devices are the holdouts. A bad answer is “we patch when we get to it.”
If your current setup can’t answer those three questions, that’s the gap. The Nevada incident proved how long a gap like that can sit there before anyone notices.
What we do about it
We start every engagement with a free 30-minute assessment. We look at the actual Microsoft 365 tenant, the actual sign-in logs, the actual firewall, the actual backup configuration. You get a written summary of what’s good, what’s missing, and what we’d do about it. No hard-sell. If the gap is small, we tell you. If it’s big, you have a written record of what to fix, whether or not you hire us.
The Nevada incident is going to keep showing up in the news for years as the recovery, lawsuits, and after-action reports wind out. The boring routine on your network is what decides whether your business shows up in that story too.
Get a Free Assessment — we’ll review your Microsoft 365 tenant, firewall, and backup setup and give you a written report of what’s good and what’s not. No commitment.
Call (775) 772-6134 — talk to a real person in Reno about what we’d watch for on your specific setup.