Hidden Ransomware: 8 in 10 Attacks Undisclosed in Q1 2026

TL;DR: BlackFog's Q1 2026 State of Ransomware report identified 264 publicly disclosed ransomware attacks in the first three months of 2026, alongside 2,160 undisclosed attacks tracked through threat intelligence. That is 8 in 10 ransomware events hidden from public view. For North Carolina small businesses, the gap between perceived risk and actual risk is the most dangerous number on the page.

Critical takeaway: If your view of ransomware risk is driven by news headlines, you are seeing roughly 11% of the actual incident volume. Industry data, Verizon's 2026 DBIR, Chainalysis, and BlackFog all point the same direction: SMBs are taking the brunt, and most of it never makes the news.

Want a realistic risk assessment? Contact Preferred Data Corporation at (336) 886-3282. Serving High Point, Greensboro, Charlotte, Raleigh, Winston-Salem, and the Piedmont Triad since 1987.

What did the BlackFog Q1 2026 report find?

BlackFog's threat intelligence team analyzes both publicly disclosed ransomware events and a much larger pool of telemetry-derived events from monitored networks, leak-site postings, and ransomware-affiliate communications. The Q1 2026 findings:

• 264 publicly disclosed ransomware attacks (January through March 2026)
• 2,160 additional undisclosed attacks tracked
• ~88% of total events went unreported in mainstream channels
• Small and mid-sized businesses accounted for the majority of both pools

Cybersecurity Dive's coverage of the BlackFog data notes that companies are increasingly resolving incidents quietly, paying or restoring without filing breach notifications or public statements, particularly when they can argue that no regulated data was exfiltrated.

Why are 8 in 10 ransomware attacks hidden from public view?

The undisclosed-attack gap is not random. It reflects a set of structural pressures pushing businesses toward silence:

• Brand-damage concerns. A disclosed breach can erode customer trust, depress sales, and trigger competitive defection
• Insurance coordination. Cyber insurance carriers often coordinate the response, payment, and notification strategy; quieter resolutions reduce some downstream costs
• Notification thresholds. Many state breach-notification laws are tied to specific data categories (PII, PHI, financial). If the encrypted data did not include those categories, mandatory disclosure may not be triggered
• Pure-extortion incidents. Modern threats sometimes skip encryption and exfiltrate data only. Some legal teams classify the event as theft rather than a "breach" if exfiltration is unconfirmed
• Operator pressure to underreport. SMB owners often feel that disclosing an incident harms competitive standing without proportional benefit
• Discovery delays. Some incidents are simply not discovered, with attackers staying inside networks for months

The Verizon 2026 DBIR reinforces the broader picture: 88% of SMB breaches involve ransomware or extortion, versus 39% at large enterprises. The Mastercard 2025 SMB study cited in Huntress's ransomware guide found that nearly 1 in 5 SMBs experiencing a cyberattack went bankrupt or out of business.

What does the disclosure gap mean for North Carolina small businesses?

Three concrete implications:

1. Your peer-reference data is wrong. "We haven't heard of attacks on businesses our size in our area" almost always means we have not heard about the attacks, not that they did not happen
2. Boards and executives underestimate risk. Decisions about cybersecurity budgets, insurance limits, and incident response readiness anchor on what is visible. The visible 11% drives 100% of the planning conversation
3. Notification obligations may still apply even if you would prefer silence. NC G.S. 75-65 requires breach notification to affected NC residents and may require notification to the NC Attorney General. CMMC and DFARS contractors face a 72-hour DoD reporting clock. Healthcare practices have HIPAA Breach Notification Rule obligations

How does the disclosure gap compare across reporting frameworks?

For a small business owner, this matrix is the reason your "I haven't heard of any breaches" intuition is unreliable.

What North Carolina breach-notification laws actually require?

NC small businesses face overlapping obligations that often surprise owners after an incident:

• NC G.S. 75-65 requires notification to NC residents whose personal information is acquired by an unauthorized party, and notification to the NC Attorney General when the breach affects more than 1,000 residents
• Federal HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) requires healthcare providers and business associates to notify affected individuals, HHS, and in some cases the media, within 60 days
• DFARS 252.204-7012 requires DoD contractors and subcontractors to report cyber incidents to the DoD DIBNet portal within 72 hours
• SEC ransomware and cyber disclosure rules require public companies (and their suppliers that need to address material incidents) to file an 8-K within 4 business days of determining materiality
• Cyber insurance carrier clauses typically require notification within 24 to 72 hours of an incident
• PCI DSS requires notification to the card brands and acquirer for any cardholder data breach
• State-by-state notification laws apply when affected residents are outside North Carolina

We cover the broader notification landscape in our incident response plan template for small business.

What does the "real" SMB ransomware risk picture look like for 2026?

Combining the BlackFog disclosure gap, Verizon DBIR ratios, and FBI IC3 cybercrime totals, a realistic 2026 SMB ransomware profile looks like:

• Targeting is broad. Ransomware-as-a-service (RaaS) operators do not pick SMBs by name; they pick by exposure (open RDP, unpatched VPN, weak MFA, leaked credentials)
• Average cost range: $120,000 to $1.24 million per incident, with 24 days of average downtime
• Disclosure rate: ~11 to 15% of incidents reach public reporting
• Payment rate: Declining (Chainalysis: 28% in 2025) as more victims recover from immutable backups
• Re-victimization rate: ~30% within 12 months for victims who do not change underlying controls
• Insurance denial rate: ~73% for SMB applications missing core controls (MFA, EDR, immutable backups, tested IR plan)

For owners of NC manufacturers, contractors, professional services firms, and healthcare practices, the implication is direct: every cybersecurity investment decision should assume the actual incident rate is 7 to 10 times what the news cycle reports.

Where do you stand on real risk? Take our cybersecurity assessment or call (336) 886-3282.

What controls move the needle for SMBs in a hidden-attack environment?

The controls that block, contain, and recover from ransomware are the same regardless of whether the incident is ultimately disclosed. The BlackFog data simply makes them more urgent:

1. Phishing-resistant MFA everywhere. Email, VPN, admin portals, finance systems, customer portals
2. EDR or MDR on every endpoint with 24/7 behavior-based detection
3. Immutable, tested backups. Air-gapped or object-locked, with quarterly restore drills
4. Same-week edge-device patching. Especially for KEV-listed vulnerabilities like CVE-2026-24858
5. Email authentication enforced (SPF, DKIM, DMARC at reject)
6. Identity-provider hardening. Conditional access, PIM/JIT for admin roles, OAuth and SaaS audits
7. Help desk identity verification. To block vishing-driven MFA-reset attacks like the Cushman & Wakefield 500K-record breach
8. Written incident response plan with notification timelines, legal contacts, insurance carrier engagement, and a 72-hour fund-recovery clock
9. Tabletop exercises at least annually, exercising both technical and notification decisions
10. Vendor risk reviews to address the 30% third-party involvement rate in the Verizon DBIR

How is Preferred Data helping NC SMBs see and respond to real risk?

Preferred Data Corporation has been protecting North Carolina small and mid-sized businesses since 1987. Our managed cybersecurity services include the controls that block undisclosed and disclosed ransomware events alike: EDR/MDR with 24/7 SOC monitoring, MFA enforcement, dark web monitoring, email security, and immutable backup architecture. Our managed IT services deliver the patching, configuration, and identity discipline that prevents most attacks from succeeding in the first place.

For manufacturers and construction firms across High Point, Greensboro, Charlotte, Raleigh, and Winston-Salem, we add OT-aware monitoring, CMMC-aligned incident reporting, vendor risk programs, and a 200-mile on-site response radius from High Point. With BBB A+ accreditation and an average client tenure of 20+ years, we have the operational track record to translate threat intelligence into a documented defensive plan.

Ready to plan against the real risk picture, not just the news? Contact Preferred Data at (336) 886-3282 or visit our contact page to schedule a risk assessment.

Frequently Asked Questions

Why are most ransomware attacks undisclosed?

A combination of brand-damage concerns, insurance-led quiet resolutions, narrow legal definitions of "breach" that exclude pure-extortion events, and gaps in state-by-state notification thresholds. The result is that public reporting captures roughly 11% of incidents per the BlackFog Q1 2026 data.

Is paying the ransom legal in North Carolina?

Generally yes, with significant caveats. Payments to sanctioned entities (some Russia-linked groups, North Korea, Iran) can violate U.S. OFAC sanctions regardless of the victim's intent. Always engage legal counsel and your insurance carrier before any payment.

Are we required to disclose a ransomware incident?

It depends on what was accessed and your industry. NC G.S. 75-65 requires notification when personal information of NC residents is acquired. HIPAA, GLBA, DFARS/CMMC, PCI DSS, SEC rules, and state laws in other jurisdictions may also apply. Your cyber insurance policy likely imposes its own notification clock. Get legal advice early.

How long do attackers stay inside a network before triggering ransomware?

Dwell-time data varies, but median attacker dwell time has been measured in days to weeks for ransomware, and significantly longer for pure-espionage actors. EDR and 24/7 monitoring are designed specifically to shorten this window.

Can we recover without paying?

Increasingly, yes. Chainalysis reports that the payment rate dropped to roughly 28% in 2025, largely because more victims are recovering from immutable, tested backups. The pre-requisite is that you must have immutable backups in place before the incident.

What is the single highest-priority control for an SMB without much budget?

If you can do one thing first, deploy phishing-resistant MFA on every email account, VPN, and admin portal. Microsoft research shows MFA blocks 99.9% of automated credential attacks. Stolen credentials remain the top initial access vector in the Verizon DBIR.

Does Preferred Data offer 24/7 ransomware monitoring and incident response?

Yes. Our managed cybersecurity service includes 24/7 SOC monitoring, EDR/MDR, immutable backup architecture, and a documented incident response practice. Call (336) 886-3282 for a tailored assessment.

Related Resources

• Cybersecurity Services
• Managed IT Services
• Backup and Disaster Recovery
• Verizon 2026 DBIR: 88% of SMB Breaches Are Ransomware
• Cushman & Wakefield Vishing Breach Lessons
• Incident Response Plan Template for Small Business
• Cyber Insurance 73% Denial Rate SMB Guide
• Triple Extortion Ransomware Defense
• Free Cybersecurity Assessment