By Mike Marlow, President & Founder, Information Systems of Montana
I started Information Systems of Montana in the early 1990s, when the biggest technology concern most Montana business owners had was whether their fax machine was working.
I've been in this industry through every major threat evolution since then: the early viruses spread through floppy disks, the first email worms that crashed networks across entire office floors, the rise of phishing and spyware, the industrialization of cybercrime in the 2000s, WannaCry, NotPetya, and the shift to ransomware-as-a-service, where criminal organizations began operating like legitimate businesses complete with HR departments, customer service desks, and quarterly revenue targets.
I've seen a lot, and I want to be direct with you: what is happening right now is different from all of it.
Not incrementally different. Fundamentally different. This is the kind of shift that changes the risk calculus for every Montana business owner I work with, regardless of industry, size, or how long they've been operating.
Where It All Started: A Floppy Disk and a P.O. Box in Panama
To understand how serious the current moment is, it helps to understand where ransomware came from.
The first documented ransomware attack occurred in December 1989, when Harvard-educated evolutionary biologist Dr. Joseph Popp mailed 20,000 floppy disks to attendees of the World Health Organization’s international AIDS conference in Stockholm. Once loaded onto a computer, the malware hid file directories, locked file names, and instructed victims to send $189 to a P.O. box in Panama to restore access.
It was crude. The encryption was so weak that IT specialists cracked the decryption key almost immediately, and most victims never paid a cent. Dr. Popp was eventually arrested at an airport, though he was later declared unfit to stand trial.
That was ransomware in its infancy: a solo actor, a physical delivery mechanism, and a design flaw that undermined the entire scheme.
For the next fifteen years, ransomware barely registered as a serious threat. It wasn’t until the emergence of Bitcoin and anonymous cryptocurrency payments around 2010 that ransomware became truly viable as a criminal enterprise. Suddenly, attackers could demand payment from anywhere in the world and receive it anonymously, without a bank account to freeze or a transaction to trace.
That changed everything.
The Decade That Built the Ransomware Economy
Throughout the 2010s, ransomware evolved rapidly. CryptoLocker, in 2013, was the first attack to demonstrate how devastating strong encryption combined with anonymous payment systems could be. It extorted nearly $3 million from victims before law enforcement shut it down. Within months, criminal groups worldwide were building their own versions.
By the mid-2010s, ransomware had become an industry—not a loose collection of hackers, but organized criminal enterprises with dedicated development teams, affiliate recruitment programs, and customer service operations designed to help victims make payments and receive decryption keys.
I watched this evolution closely because my job was to protect Montana businesses from it. And for most of that period, the playbook was relatively consistent:
A phishing email arrives.
An employee clicks.
Ransomware executes.
Files are encrypted.
A ransom demand appears.
The question then becomes: do you pay, or do you restore from backup?
It was serious. It was costly. But it was also, in a sense, a known adversary. The attacks followed recognizable patterns. The defenses were well understood. Businesses that invested in layered security, reliable backups, and employee training were reasonably well protected.
That is no longer the world we operate in.
Ransomware 2.0: What Has Changed and Why It Matters to Your Business
The ransomware attacks happening in 2025 and 2026 are not simply the same threat with a new label. They represent a genuine technological and strategic leap driven by three converging forces:
Artificial Intelligence in the Hands of Attackers
Ransomware groups are now using AI to personalize social engineering attacks, craft highly convincing phishing emails, bypass traditional detection systems, and overcome language barriers that once limited their reach.
An AI-generated phishing email in 2026 doesn’t arrive with broken grammar or an obviously suspicious sender address. It arrives looking like a legitimate message from your accountant, vendor, or legal counsel, referencing real details about your business gathered from publicly available information.
The human filter that once served as your last line of defense is now being deliberately engineered around.
State-Sponsored Actors Targeting Small Businesses
This is the part that still surprises many business owners when I explain it to them: nation-state hacking groups are no longer focusing exclusively on governments and Fortune 500 companies.
In early 2025, the North Korean state-sponsored threat group Moonstone Sleet adopted the Qilin ransomware platform operationally, signaling a strategic shift toward geopolitical influence operations that extend well beyond financial extortion.
When a state-sponsored actor compromises a Montana healthcare network or a CMMC-regulated manufacturer, the objective is not always ransom payment. Sometimes it’s intelligence gathering. Sometimes it’s disruption. Sometimes it’s establishing persistent access for future operations.
The ransom demand is often just the visible surface of a much deeper threat.
Double and Triple Extortion
The original ransomware model was straightforward: encrypt files and demand payment for the decryption key.
The new model is far more aggressive.
With double extortion, attackers steal sensitive data before encrypting systems and threaten to publish or sell that information unless an additional payment is made.
With triple extortion, attackers add a third layer of pressure by threatening to contact the victim’s clients, partners, or regulators directly.
A business that restores from backup and refuses to pay the ransom may still face:
- public exposure of stolen data,
- regulatory notifications,
- reputational damage,
- and significant legal liability.
For Montana law firms, healthcare providers, and financial services firms, that second layer of extortion is often more damaging than the encryption itself.
The Scale Is No Longer Deniable
I know what some of you are thinking because I hear it regularly:
“Mike, that’s terrible, but it still feels like something that happens to other businesses—big companies in big cities.”
Look at the numbers from 2025 and ask yourself whether that belief still holds.
GuidePoint Security recorded a 58% year-over-year increase in ransomware victims in 2025, making it the most active ransomware year ever documented. On average, 145 new victims were added to dark web data leak sites every single week.
The average total cost of a ransomware attack in 2025—including downtime, recovery costs, legal exposure, and reputational damage—rose to $5.08 million per incident.
An estimated 85% of ransomware attacks are never publicly reported. The businesses you read about in the news represent only a fraction of those actually being targeted.
Most importantly, North America experienced approximately 47% of all ransomware attacks globally, with the United States accounting for roughly one-fifth of all known incidents.
This is not a foreign problem. It is an American business problem, and Montana businesses are not exempt.
What Ransomware 2.0 Means for Montana’s Most Vulnerable Industries
The industries I monitor most closely in Montana—the ones where the consequences of a successful attack are most severe—are seeing the sharpest increases in targeting.
Healthcare
Healthcare breaches in 2025 were the most expensive of any sector, averaging $7.42 million per incident.
In the most severe cases, ransomware attacks against healthcare providers were directly linked to patient harm, including canceled procedures and at least one confirmed patient death.
This is no longer just a cybersecurity issue. It is a patient safety issue.
Manufacturing
Manufacturing suffered the highest number of ransomware attacks of any sector in 2025, accounting for approximately 29% of all incidents—a 61% year-over-year increase.
For Montana businesses handling Controlled Unclassified Information (CUI) under Department of Defense contracts, a breach is not merely a financial disaster. It can also result in contract termination and federal investigation.
Legal and Financial Services
Legal and financial firms remain prime targets because of the sensitivity and legal significance of the data they hold.
A trust account disbursement redirected through business email compromise, or confidential client files leaked on a dark web marketplace, creates consequences that extend far beyond immediate financial losses.
The Defense Has to Change Too
One reassuring aspect of the original ransomware era was that the defenses were relatively straightforward:
- Train employees to recognize phishing attempts
- Maintain reliable backups
- Patch systems regularly
- Use multi-factor authentication
Those measures still matter. But today, they are necessary—not sufficient.
An AI-generated phishing campaign conducted by a state-sponsored actor is not something employee awareness training alone can stop.
A double extortion attack involving stolen data cannot be solved simply by restoring from backup.
Defending against Ransomware 2.0 requires a fundamentally different security posture:
- Continuous monitoring instead of periodic scans
- Behavioral threat detection instead of signature-only detection
- A documented and tested incident response plan built for today’s threat landscape
- Compliance frameworks that satisfy actual regulatory and operational requirements—not annual checkbox exercises
Most importantly, it requires a security partner that monitors your environment with the same seriousness attackers bring to targeting it.
You Understand the Risk. Now It’s Time to Act.
The threat has evolved.
The question is whether your defenses have evolved with it—and if they haven’t, how quickly you can change that.
Next Step: Join Our Upcoming Webinar
Protect Your Bottom Line: The Montana Executive’s Guide to Cyber Resilience
Tuesday, June 2nd
11:00 AM (MT)
We hope you’ll join us for this important conversation.
