TL;DR: BlackFog's Q1 2026 State of Ransomware report identified 2,160 undisclosed ransomware attacks across 97 countries, while only 264 attacks were publicly disclosed - meaning roughly one in nine ransomware victims actually goes public, per Cybersecurity Dive. Data was exfiltrated in 96% of incidents, with an average 743 GB stolen per undisclosed attack, victims given an average of 7.7 days to pay, and ransom demands averaging over $1 million. Qilin led the undisclosed attacks with 339 (16%), followed by The Gentlemen (200, 9%) and Akira (190, 9%). For North Carolina small businesses, the report rewrites the threat baseline: the ransomware peer benchmark is not the 264 attacks you read about - it's the 2,160 you don't.
Key takeaway: For every NC small business ransomware story that makes the local news, eight more NC peers paid the ransom quietly and never told anyone. The threat is roughly 8x more common than press coverage suggests - and 96% of those incidents involve data theft, not just encryption.
Need help preparing for the ransomware threat the headlines don't show? Preferred Data Corporation has run managed cybersecurity, managed IT, and backup / data protection for NC small businesses since 1987. Call (336) 886-3282 or request a ransomware readiness review.
What did the BlackFog Q1 2026 report actually find?
Per Cybersecurity Dive and the BlackFog Q1 2026 press release, the report covered ransomware activity from January through March 2026 and produced the following statistics that NC SMBs should plan against:
| Metric | BlackFog Q1 2026 figure |
|---|---|
| Undisclosed ransomware attacks | 2,160 (2% YoY increase) |
| Publicly disclosed attacks | 264 |
| Public-disclosure rate | ~1 in 9 (~11%) |
| Countries affected | 97 |
| Incidents involving data exfiltration | 96% |
| Average data stolen per undisclosed attack | 743 GB |
| Average ransom demand window | 7.7 days |
| Average ransom demand | Over $1 million |
| Most active undisclosed group | Qilin - 339 attacks (16%) |
| Second most active | The Gentlemen - 200 attacks (9%) |
| Third most active | Akira - 190 attacks (9%) |
| Most active disclosed group | Qilin - 22 attacks (8%) |
| AI-driven campaigns observed | LotAI, ClawdBot, OpenClaw |
The "1 in 9 disclosed" finding is the most important single data point in the report. Per Industrial Cyber, most ransomware victims now resolve incidents quietly - by paying the ransom, by absorbing the loss, by relying on insurance, or by hoping the exposure stays inside the breach negotiator's mailbox. The public dataset that most SMB cybersecurity decisions are based on is undercounted by roughly 8x.
Quotable definition: Data exfiltration-first ransomware is a model in which the attacker steals data before (or instead of) encrypting it, then extorts the victim with publication threats. Per BlackFog, 96% of Q1 2026 ransomware involved exfiltration - encryption is now the secondary act, not the primary one.
Three facts an NC SMB should write down:
- The actual ransomware threat is ~9x more common than press coverage shows. If your SMB peer network sees one NC small business in the news per quarter for a ransomware incident, the real rate is closer to nine per quarter. Risk modeling that uses press counts under-prepares.
- Encryption is no longer the primary lever. 96% of attacks now involve data theft. The "we have great backups, ransomware can't hurt us" posture is outdated by at least three years. The attacker will publish the data regardless of restore time.
- AI-driven extortion is already live. Per BlackFog, the AI ecosystem is now powering ransomware campaigns - LotAI, ClawdBot, OpenClaw - that automate data theft, victim profiling, and ransom-note customization. The marginal cost of a ransomware campaign has dropped sharply.
Why does this matter for North Carolina small businesses specifically?
Because most NC SMB ransomware preparation budgets are calibrated to the press-visible threat level, not the actual threat level. The NC SMB victim profile maps cleanly:
- A High Point manufacturer with 80 employees is hit by Qilin via a phished M365 account. 1.2 TB of CAD files, customer purchase orders, and HR data is exfiltrated over five days. The ransom demand is $1.4 million. The CEO pays via cyber insurance, no public disclosure is made, the press never covers it. The business does not appear in any peer's threat model next quarter.
- A Greensboro construction firm is hit by Akira. The attackers steal estimating spreadsheets and subcontractor banking detail. The firm pays $850,000 and absorbs the rest. The biggest customer never finds out.
- A Piedmont Triad accounting practice is hit by The Gentlemen. PII for 12,000 client returns is exfiltrated. The firm pays $1.1 million. State breach-notification laws are not triggered because the firm is told by the negotiator that "the data was deleted" - which is not always true.
- A Charlotte law firm is hit. Trust account records, client privilege material, and active matter files are exfiltrated. The firm pays a high-six-figure ransom and absorbs the reputational risk. No state bar disclosure is made.
Per the BlackFog Q1 2026 press release, the average ransom demand window is 7.7 days. The decision-making window for an SMB CFO with limited cyber-insurance coverage, a 30-person workforce, and an active production environment is the same week. Most plans are not ready.
Key takeaway: The NC SMB ransomware playbook should be built for the 2,160-attack reality, not the 264-attack press coverage. Backups defeat encryption; only prevention + segmentation + early detection defeat data theft + extortion.
How does an NC SMB defend against the 2026 ransomware reality in 90 days?
Run a nine-step sequence inside 90 days. The plan is staged so an NC SMB with 1-3 IT staff (or a managed services partner) can deliver real prevention, not theater.
- Adopt phishing-resistant MFA on every administrative account (Day 0-14). Per our device-code phishing analysis, SMS, TOTP, and push approvals are bypassable. Hardware keys (YubiKey, Titan) or passkeys for every admin account close the most common entry vector.
- Deploy EDR with behavioral detections on every endpoint (Day 0-30). CrowdStrike, SentinelOne, or Defender for Business with the right policy. Tune for the credential-theft-then-lateral-move pattern that precedes encryption.
- Adopt immutable backups (Day 14-45). Wasabi Object Lock, AWS S3 Object Lock, Backblaze B2, or a Veeam Hardened Repository. The backup must be unmodifiable for the duration of the retention policy, not just protected by a password an attacker can phish.
- Map and segment the data exfiltration paths (Day 30-60). Block outbound SMB, RDP, SSH, and unauthorized cloud-storage destinations at the firewall or DNS layer. Mass exfiltration to Mega, Bashupload, or attacker-hosted S3 is the leading indicator.
- Run a ransomware tabletop exercise (Day 30-60). A 4-hour facilitated tabletop with the executive team, IT, legal, and a representative from finance. Walk through the 7.7-day ransom window. Most plans fall apart at the "who notifies the customers" decision.
- Sign an incident response retainer (Day 14-45). Have an IR firm on contract before the incident. The first hour costs an SMB the most when it is also the first hour they are evaluating IR vendors. Even a $5K-$10K annual retainer compresses that timeline.
- Review the cyber insurance policy line-by-line (Day 14-30). Confirm coverage limits, social-engineering carve-outs, ransom reimbursement caps, business-interruption sub-limits, and forensics provider lists. Replace the policy if the coverage no longer matches the threat.
- Build a customer-notification template (Day 60-90). A drafted, lawyer-reviewed customer notification that can be edited and sent within 24 hours of confirmed data exfiltration. The drafting process surfaces decisions the company would otherwise make in panic.
- Train staff on the data-theft-extortion reality (Day 0-90). Move past "click here for the security training video." Twice-yearly live training with phishing simulations, a tabletop scenario, and an updated employee handbook clause on incident reporting.
| Control | Day-90 target | Why it matters |
|---|---|---|
| Phishing-resistant MFA on all admin accounts | 100% of admin identities | Closes the highest-conversion entry vector |
| EDR on all endpoints | 100% of endpoints | Detects the lateral move that precedes encryption |
| Immutable backups | 100% of business-critical data | Defeats encryption-based pressure |
| Outbound exfiltration controls | All edge devices | Blocks the data-theft action that drives 96% of incidents |
| Ransomware tabletop exercise | Executed + minuted | Surfaces broken decision points before the real call |
| Incident response retainer | Signed | Compresses the response timeline by hours |
| Cyber insurance policy reviewed | Documented + adjusted | Ensures coverage matches the threat |
| Customer notification template | Lawyer-reviewed + drafted | Removes the 4-hour panic-drafting window |
| Staff training on data-theft extortion | 100% of staff annually | Aligns user behavior with the actual threat |
Key takeaway: Backups defeat the encryption side of ransomware. Only segmentation + EDR + outbound exfiltration controls + cyber insurance defeat the data-theft side. The 2026 ransomware reality requires both.
How does Preferred Data Corporation help NC SMBs defend against the 2026 ransomware reality?
PDC has run managed cybersecurity, managed IT, backup and data protection, and cloud solutions for NC SMBs since 1987. For the 2026 ransomware threat profile, PDC brings four things to the table:
- EDR + 24/7 monitoring: CrowdStrike, SentinelOne, or Defender for Business deployed on every endpoint, tuned for the credential-theft-then-lateral-move pattern, monitored by a real human SOC, not just an alert email.
- Immutable backup architecture: Veeam Hardened Repository or S3 Object Lock backed up offsite, with restore-tested monthly and a documented 4-hour recovery objective for the top 10 systems.
- Tabletop + IR retainer: A quarterly tabletop exercise plus a 24/7 incident-response retainer that compresses the first hour from "who do we call" to "the IR team is on the bridge."
- Customer-notification + insurance review: Lawyer-reviewed customer notification templates, a cyber-insurance policy review with the broker, and a documented decision tree for the "do we pay" question.
For NC manufacturers in High Point and Greensboro, construction firms across the Piedmont Triad, accounting and law firms in Charlotte, and medical practices managing PHI - this is the 90-day cycle that turns the BlackFog "1 in 9" finding into a peer-leading defensive posture.
Need help with a 90-day ransomware readiness program? Call (336) 886-3282 or book a ransomware readiness review.
Frequently Asked Questions
What did the BlackFog Q1 2026 ransomware report find?
Per Cybersecurity Dive, BlackFog identified 2,160 undisclosed ransomware attacks vs. 264 publicly disclosed ones in Q1 2026 - a roughly 1-in-9 public disclosure rate. Data exfiltration occurred in 96% of incidents, with an average 743 GB stolen, a 7.7-day ransom window, and average demands above $1 million.
Why does the "1 in 9" disclosure rate matter for NC small businesses?
Because most SMB cybersecurity budgets are calibrated to press-visible threats. If the actual ransomware rate against NC SMBs is roughly 9x higher than press coverage suggests, the budget, the controls, and the incident response readiness are all systematically under-scaled.
Are backups still useful against modern ransomware?
Yes, but only for half the problem. Backups defeat the encryption pressure - you restore and decline the ransom. They do not defeat the data-theft pressure - the attacker still has your data and will publish it whether or not you restore. Modern defense requires backups AND exfiltration controls AND incident response readiness.
What is "data exfiltration" and why is it now 96% of attacks?
Data exfiltration is the act of copying data out of the victim's network before (or instead of) encrypting it. Per Industrial Cyber, the shift to 96% exfiltration is driven by the business reality that data theft + publication threat is more reliable than encryption pressure - victims with good backups still pay to avoid the press story.
Which ransomware groups should an NC SMB pay attention to in 2026?
Per BlackFog Q1 2026, Qilin (16% of undisclosed attacks), The Gentlemen (9%), and Akira (9%) are the most active. Qilin is a sophisticated double-extortion group with a long history; The Gentlemen pioneered the 90% affiliate revenue-share model; Akira targets SMB-scale victims aggressively. NC manufacturers, construction firms, and professional services firms are squarely in scope for all three.
What is AI-driven ransomware (LotAI, ClawdBot, OpenClaw)?
Per BlackFog, threat actors are now using AI to automate data theft (LotAI), victim profiling and ransom-note customization (ClawdBot), and pre-compromise reconnaissance (OpenClaw). The marginal cost of a ransomware campaign has dropped sharply; the targeting precision against SMBs has risen.
Should we pay the ransom if we're hit?
It depends - and the decision is best made in advance, in writing, with legal counsel and the cyber-insurance broker. Most SMBs default to paying because the alternative (data publication + customer notifications + regulatory exposure) is worse. The right answer is a decision tree drafted during the 90-day tabletop, not improvised in the 7.7-day ransom window.
Related Resources
- Managed Cybersecurity for NC Businesses - EDR + 24/7 monitoring + IR retainer
- Managed IT for NC Businesses - Patch + identity + endpoint baseline
- Backup and Data Protection - Immutable backup architecture for NC SMBs
- Cloud Solutions - Segmented architectures that limit blast radius
- Verizon DBIR 2026: SMB Ransomware 88%
- The Gentlemen Ransomware 90% Affiliate Split: SMB Defense
- Contact Preferred Data Corporation - 90-day ransomware readiness for NC SMBs