TL;DR: BlackFog's Q1 2026 State of Ransomware report identified 264 publicly disclosed ransomware attacks but 2,160 undisclosed ones, meaning only about 1 in 9 attacks (roughly 11%) ever become public. Virtually all (96%) of disclosed attacks involved data exfiltration, and manufacturing was the most targeted sector among undisclosed incidents, accounting for more than one-fifth of them. The real threat is far larger than headlines suggest, and most victims are small and mid-sized businesses that quietly absorb the damage. North Carolina small businesses need detection, data loss prevention, breach-notification readiness, and an incident response plan, because "we never heard about an attack" does not mean attacks are not happening.
Key takeaway: The ransomware you read about is the tip of the iceberg. About 89% of attacks are never disclosed, and those silent victims are overwhelmingly small businesses, which makes "it won't happen to us" the most dangerous assumption in your security strategy.
Not sure if you'd even detect an attack in progress? Preferred Data Corporation provides 24/7 monitoring and incident response for North Carolina small businesses. Call (336) 886-3282 or request a ransomware risk assessment.
How many ransomware attacks actually go unreported?
The overwhelming majority. According to BlackFog's Q1 2026 State of Ransomware report, the firm's threat intelligence team identified 264 publicly disclosed attacks in the first quarter of 2026 alongside 2,160 undisclosed attacks, so only about one in nine, roughly 11%, were ever made public. As Cybersecurity Dive summarized, businesses hide the vast majority of ransomware attacks.
The data also shows the threat shifting. While disclosed attacks fell 15% year over year, undisclosed attacks ticked up slightly from Q1 2025, per Industrial Cyber. The problem is not shrinking; it is going dark.
For NC small businesses, the implication is blunt: the absence of news is not evidence of safety.
Why do so many businesses hide ransomware attacks?
Businesses stay silent for reasons that, while understandable, leave the wider community blind and the victim under-prepared. The most common drivers are reputational, contractual, and operational.
- Reputation and customer trust. Owners fear losing clients and referrals, a real concern for relationship-driven NC small businesses.
- No legal trigger they recognize. Many believe that if they "only" had systems encrypted, no notification is required, often without checking whether data was exfiltrated.
- Quiet ransom payment. Some pay and move on, hoping the incident never surfaces.
- Lack of detection. You cannot disclose what you never detected; many small businesses simply do not know the full scope of what was taken.
The danger is that silence removes the pressure to fix root causes, so the same business is frequently hit again.
Why does 96% data exfiltration change your defense strategy?
Because backups no longer solve the whole problem. BlackFog found that virtually all (96%) of disclosed Q1 2026 attacks involved data exfiltration, and Industrial Cyber noted threat actors are prioritizing data theft over pure disruption. That means even a flawless backup restore still leaves you facing a data-leak extortion threat and likely breach-notification obligations.
| Strategy era | Primary attacker goal | Effective defense |
|---|---|---|
| Encryption-only ransomware | Lock files, sell decryption | Tested backups |
| 2026 data-theft ransomware | Steal data, then encrypt | Backups plus data loss prevention, monitoring, and breach-notification readiness |
This is why a 2026 defense must add data loss prevention (DLP), egress monitoring, and a documented breach-notification process to the traditional backup foundation.
Are NC manufacturers and small businesses really the silent majority?
Yes. BlackFog reported that manufacturing was the most targeted sector among undisclosed attacks, accounting for more than one-fifth of all such incidents, while healthcare led disclosed attacks at 27%. North Carolina's economy is heavily weighted toward exactly the profile that goes unreported.
- Manufacturing and industrial firms across the Piedmont Triad rarely make headlines but are the top undisclosed target.
- Privately held companies have no public-company SEC pressure to disclose, so incidents stay internal.
- Small teams often lack the detection tooling to even quantify what was stolen.
The result: NC's small manufacturers, contractors, and professional firms are disproportionately represented in the 89% you never hear about.
What must NC small businesses do about hidden ransomware?
You cannot rely on industry headlines as your early-warning system. The fix is to assume you are a target, detect early, and be ready to respond and disclose correctly.
- Deploy 24/7 detection (EDR/MDR). Catch the reconnaissance and exfiltration phase before encryption. You cannot manage what you cannot see.
- Add data loss prevention and egress monitoring. Detect and block large or anomalous outbound data transfers, the core of the 96% exfiltration trend.
- Harden the entry points. MFA everywhere, patched edge devices, and locked-down VPN/RDP close the most common initial-access routes.
- Maintain immutable, tested backups. Still essential for fast operational recovery, even though they no longer solve data theft alone.
- Build a breach-notification playbook. Know in advance when North Carolina and contractual obligations require disclosure, so you do not "accidentally" become a hidden statistic and incur penalties.
- Rehearse incident response. A tested plan, including legal and communications steps, prevents panicked, quiet decisions.
PDC delivers this through managed cybersecurity, managed IT services, and backup and disaster recovery.
Don't let your business become part of the 89%. Call (336) 886-3282 or contact Preferred Data Corporation for a ransomware risk assessment.
Does North Carolina require you to disclose a ransomware breach?
Often, yes, and the 96% exfiltration rate makes it likely. North Carolina's data breach notification law requires notifying affected individuals (and, at scale, the NC Attorney General) when personal information is accessed or acquired without authorization. Because nearly all 2026 attacks now steal data, treating a ransomware event as "encryption only, no notice needed" is increasingly indefensible and exposes the business to regulatory penalties and litigation. The correct posture is to investigate exfiltration scope with professional help and notify based on facts, not on a hope that nothing was taken. PDC builds notification readiness into incident response planning for NC clients.
Frequently Asked Questions
What percentage of ransomware attacks are never disclosed?
Approximately 89%. BlackFog's Q1 2026 report identified 264 disclosed attacks versus 2,160 undisclosed, so only about 1 in 9 (roughly 11%) became public, per Cybersecurity Dive.
If attackers only encrypted my files, do I still have to notify anyone?
Probably yes. BlackFog found 96% of disclosed 2026 attacks involved data exfiltration, so assuming "encryption only" is risky. North Carolina breach notification obligations are typically triggered by unauthorized access to or acquisition of personal information, which most modern ransomware achieves before encrypting. Investigate scope before concluding no notice is required.
Why is manufacturing the top hidden ransomware target?
Manufacturing accounted for more than one-fifth of undisclosed Q1 2026 attacks, per BlackFog. Many manufacturers are privately held with no public-disclosure pressure, run under-segmented IT/OT networks, and lack the detection tooling to quantify what was stolen, so incidents stay internal.
Are tested backups still worth it if data is stolen anyway?
Yes. Immutable, tested backups remain the fastest path to restoring operations and avoiding a decryption payment. They simply no longer address the data-leak extortion side, which is why DLP, monitoring, and notification readiness must be added alongside them.
How would a small business even detect a hidden attack?
Through endpoint detection and response (EDR/MDR) with 24/7 monitoring and outbound-data (egress) monitoring. These catch the lateral movement and exfiltration that precede encryption. Without them, many small businesses never learn the true scope, which is exactly how attacks stay undisclosed.
Related Resources
- Managed Cybersecurity Services for NC Businesses - 24/7 detection, DLP, and incident response
- Managed IT Services for NC Businesses - Proactive monitoring and hardening
- Backup and Disaster Recovery - Immutable, restore-tested backups
- Manufacturing Industry Solutions - Security for NC's top hidden target
- Triple Extortion Ransomware Defense for SMBs - Companion guide on data-leak extortion
- Contact Preferred Data Corporation - Schedule a ransomware risk assessment