TL;DR: BlackFog's State of Ransomware 2026 research found 264 publicly disclosed ransomware attacks in Q1 2026, but identified 2,160 undisclosed ones, meaning the hidden total ran nearly 10 times the reported number. Europol's IOCTA 2026 counted more than 120 active ransomware groups in 2025. For NC small businesses, the takeaway is blunt: the ransomware problem is roughly an order of magnitude larger than the headlines suggest, and most victims you never hear about look exactly like you.
Critical takeaway: If only 1 in 10 ransomware attacks is ever disclosed, then every public statistic you use to estimate your risk is understated by about 90%. You are not planning against the threat; you are planning against the visible tip of it.
Want a defense built for the real threat level, not the reported one? Contact Preferred Data Corporation at (336) 886-3282. Serving High Point, Greensboro, Charlotte, Raleigh, Winston-Salem, and the Piedmont Triad since 1987.
How Many Ransomware Attacks Actually Go Unreported?
The overwhelming majority. BlackFog's Q1 2026 analysis found 264 publicly disclosed ransomware attacks against 2,160 undisclosed ones, an undisclosed-to-disclosed ratio of roughly 8 to 1. The reported number is the small, visible portion of a much larger problem.
| Q1 2026 Ransomware Data | Figure | Implication for NC SMBs |
|---|---|---|
| Publicly disclosed attacks | 264 | The number that reaches news and reports |
| Undisclosed attacks identified | 2,160 | The real operating volume of the threat |
| Hidden-to-disclosed ratio | ~8 to 1 | Public stats understate risk by roughly 90% |
| Active ransomware groups (2025, Europol IOCTA) | 120+ | An industrialized, AI-accelerated criminal market |
Europol's IOCTA 2026 report describes an increasingly industrialized cybercrime landscape driven by AI, ransomware, and large-scale data theft. The disclosed numbers were never the whole story; the 2026 data quantifies just how partial they are.
Why Do So Many Businesses Hide a Ransomware Attack?
Businesses conceal ransomware incidents because disclosure carries reputational, legal, and competitive costs that owners try to avoid, especially smaller firms without a communications or legal function. The silence is rational at the individual level and dangerous at the industry level.
The main drivers:
- Reputation protection. Owners fear customer and partner loss more than the incident itself, particularly in tight-knit NC industrial and professional communities
- Quiet ransom payment. Some pay and never report, assuming silence ends the matter (it rarely does; victims who pay are frequently targeted again)
- No disclosure trigger. If the firm believes no regulated data was exposed, it may conclude no notification is legally required
- Limited capability. Many SMBs lack the legal, forensic, and PR resources to manage a public disclosure, so they manage it privately
- Insurance dynamics. Concern about premium increases or coverage disputes discourages reporting
The collective effect is an information vacuum: every SMB underestimates its odds because the peers who were hit stayed quiet.
What Does the Hidden Volume Mean for an NC Small Business?
It means your real probability of being targeted is far higher than the news implies, and that you should plan for "when," not "if." Ransomware-as-a-service operators select targets by expected payout per hour of effort, and NC SMBs check every box: valuable data, time-sensitive operations, limited defensive maturity, and concentrated decision-making.
The structural risk factors:
- High target density. NC's manufacturing, furniture, textile, logistics, and professional services base is exactly the profile RaaS affiliates prefer
- Operational fragility. A 4-day production or billing halt costs a 40-person Piedmont Triad firm proportionally more than it costs a multinational
- Concentrated access. One owner or controller often holds the access needed to authorize a wire, restore a backup, or pay a ransom
- Supply-chain leverage. A small NC contractor breached is often a doorway into a larger customer, raising the attacker's payoff
The Verizon 2026 DBIR found 88% of SMB breaches involve ransomware or extortion, versus 39% at large enterprises. The BlackFog hidden-volume data explains why that gap feels even larger on the ground than it reads on paper.
Where do you actually stand? Take our free cybersecurity assessment or call (336) 886-3282.
What Controls Actually Reduce Ransomware Risk for SMBs?
The controls that move the needle are consistent and well-established; the failure is almost always in execution and monitoring, not in knowing what to do. Prioritized:
- Immutable, tested backups. Air-gapped or object-locked copies ransomware cannot encrypt or delete, with quarterly restore tests. See immutable backups for ransomware protection
- EDR or MDR on every endpoint. Behavior-based detection that catches the encryption and lateral movement stages, covered in EDR vs MDR for small business
- MFA everywhere it matters. Email, VPN, admin portals, and financial systems, since stolen credentials remain a top initial-access vector
- 24/7 SOC monitoring. The majority of ransomware deployment happens at night and on weekends, when in-house teams are offline
- Same-week edge patching. Unpatched firewalls and VPNs are a leading entry point
- Email authentication and phishing-resistant MFA for high-risk finance and admin roles
- A written, rehearsed incident response plan with legal, insurance, forensics, and communications paths defined in advance, see our ransomware recovery plan guide
- Annual security awareness training using current AI-driven phishing and deepfake examples
These map directly to the NIST Cybersecurity Framework and CIS Controls v8. The 2026 data does not change the playbook; it raises the cost of skipping it.
How Does NC-Specific Risk Compound the Hidden Threat?
North Carolina's economy concentrates the exact industries ransomware groups prioritize, and NC-specific compliance clocks turn a quiet incident into a multi-front problem the moment regulated data is involved.
NC pressure points:
- NC G.S. 75-65 breach notification obligations
- CMMC 2.0 for any DoD subcontractor in the NC defense supplier base
- HIPAA for healthcare practices
- GLBA and PCI DSS for financial, accounting, and any card-accepting firm
- Customer contractual notification clauses that trigger regardless of statute
A "quiet" incident stops being quiet the instant one of these clocks starts. The hidden-volume data is a warning that the peers who stayed silent did not avoid the cost; they delayed and often amplified it.
How Is Preferred Data Helping NC SMBs Defend Against the Real Threat?
Preferred Data Corporation has protected NC small and mid-sized businesses since 1987. Our managed cybersecurity services deliver the controls the data repeatedly identifies as effective: EDR/MDR, MFA enforcement, dark web monitoring, email security, and 24/7 SOC monitoring that catches attacks during the nights and weekends they actually occur. Our backup and disaster recovery practice provides immutable backups with quarterly restore testing, the single most reliable path to recovery without paying. Our managed IT services maintain the patch and configuration discipline that closes the most common entry points.
For manufacturers and professional services firms across High Point, Greensboro, Charlotte, Raleigh, Winston-Salem, and the Piedmont Triad, we bring incident response planning, OT-aware monitoring, and a 200-mile on-site response radius. With BBB A+ accreditation and a 20+ year average client tenure, we are the local partner NC owners trust when an incident is real and the clock is running.
Ready to plan against the real threat level? Contact Preferred Data at (336) 886-3282 or visit our contact page to schedule a security review.
Frequently Asked Questions
How many ransomware attacks actually go unreported?
BlackFog's State of Ransomware 2026 research found 264 publicly disclosed attacks in Q1 2026 against 2,160 undisclosed ones, roughly an 8-to-1 hidden-to-disclosed ratio. In practical terms, public ransomware statistics understate the true volume by approximately 90%.
Why do businesses hide ransomware attacks?
The main reasons are reputation protection, quiet ransom payment, the belief that no disclosure is legally required, limited legal and forensic capability, and concern about insurance consequences. The behavior is common among smaller firms without dedicated legal or communications functions.
Does hiding a ransomware attack actually work?
Rarely, and it often makes things worse. Victims who pay are frequently targeted again, regulatory clocks still apply when regulated data is exposed, and undisclosed incidents commonly surface later through leak sites or partner notifications, by which point the cost has grown.
Does the hidden volume change what defenses I need?
No. The proven controls (immutable tested backups, EDR/MDR, MFA, 24/7 monitoring, fast edge patching, and a rehearsed incident response plan) are unchanged. The data simply raises the real probability of being targeted and the cost of skipping those controls.
What is the single most reliable way to recover without paying?
Immutable, tested backups. Air-gapped or object-locked copies that ransomware cannot encrypt or delete, combined with quarterly restore testing, are the most dependable path to recovery without negotiating with attackers.
Are small NC businesses really high-value targets?
Yes. Ransomware-as-a-service operators select targets by expected payout per hour of effort, and NC SMBs combine valuable data, time-sensitive operations, limited defensive maturity, and concentrated decision-making, which is the ideal profile.
Does Preferred Data offer managed ransomware defense?
Yes. Our managed cybersecurity, backup and disaster recovery, and managed IT services deliver EDR/MDR, MFA, immutable backups, 24/7 SOC monitoring, fast patching, and incident response planning for NC SMBs. Call (336) 886-3282 for a tailored assessment.