NC Ransomware Surge: Attacks Up 50%, 1,215 Incidents in 2024

Ransomware attacks against North Carolina businesses surged approximately 50% year-over-year in 2024, climbing from 843 incidents to 1,215, according to records obtained by WRAL Investigates from the NC Department of Justice 2024 Data Breach Report. 2024 was a record-breaking year for breaches in the state, with more than 2,258 organizations reporting an incident to the NCDOJ.

The trend accelerated into 2025. Check Point Research reported a 126% year-over-year increase in publicly disclosed ransomware victims globally during Q1 2025, climbing from 1,011 victims in Q1 2024 to 2,289 in Q1 2025. NC's exposure tracks the national curve.

For small business owners in High Point, Greensboro, Raleigh, Charlotte, and across the state, the question is no longer whether ransomware reaches NC. The state-level data confirms it already has, in volume, across every industry, including doctors' offices, law firms, schools, and small manufacturers.

Key takeaway: NC ransomware incidents grew approximately 50% in 2024 according to NCDOJ data, and Q1 2025 showed a 126% YoY surge in publicly disclosed victims. The pattern affects small businesses disproportionately because they share infrastructure profiles with the most-targeted enterprises but lack equivalent defense budgets.

Worried about your exposure? Preferred Data Corporation provides managed cybersecurity services for North Carolina businesses with 37+ years of local experience. Call (336) 886-3282 or request a security assessment.

What does the NC ransomware data actually show?

The North Carolina ransomware data shows a sustained, accelerating attack pattern that hit small and mid-sized organizations hardest. Three concrete data points anchor the picture:

1,215 ransomware incidents in NC in 2024, up from 843 in 2023, a roughly 50% increase per the NCDOJ 2024 Data Breach Report
2,258 total organizations reported breaches to NCDOJ in 2024, the highest number ever recorded in the state
Ransomware contributed to more than half of all 2024 breaches according to NCDOJ

Targets included doctors' offices, law firms, schools, county and municipal governments, and small businesses. The WRAL investigation found that mid-sized organizations of 50-500 employees absorbed the majority of incidents, the same demographic where security investments most often fall short.

Q1 2025 marked an inflection point nationally. According to Check Point Research's quarterly threat report, publicly disclosed ransomware victims jumped 126% YoY, with the United States as the most-targeted country.

Which NC industries are getting hit hardest?

NC industries hit hardest in the 2024-2026 ransomware surge mirror the national picture, with manufacturing, healthcare, professional services, and local government topping the list. Each has structural vulnerabilities that make them attractive targets.

Industry	Why Targeted	Common Entry Points
Manufacturing	Production downtime pressure, IP value, OT-IT convergence	Phishing, vulnerable VPN, unpatched edge devices
Healthcare (incl. specialty practices)	PHI value, HIPAA notification leverage, life-safety pressure	Phishing, third-party vendor breach
Professional services (legal, accounting)	Client data sensitivity, wire transfer access	BEC, OAuth abuse, vendor compromise
Local government and education	Limited budgets, public services pressure	Phishing, end-of-support software
Construction and trades	Distributed jobsites, shared accounts, project urgency	Stolen credentials, unmanaged endpoints

Manufacturing is particularly exposed in NC, where the Piedmont Triad's manufacturing base intersects with growing OT-IT convergence. According to Industrial Cyber's coverage of recent manufacturing attacks, a single ransomware event in a connected production environment can halt operations for days or weeks.

Review PDC's manufacturing-focused IT services.

Why has ransomware grown so much in North Carolina?

Ransomware has grown so much in North Carolina because economic incentives, attack automation, and SMB defense gaps have all moved in the wrong direction simultaneously.

1. Initial access is cheap

According to Chainalysis 2026 ransomware research, the average price for network access on initial access broker (IAB) markets dropped from $1,427 in Q1 2023 to just $439 in Q1 2026, driven by AI-assisted tooling, automation, and oversupply from info-stealer logs. Cheap access expands the addressable target set to include any business with internet-facing systems.

2. Affiliate model scales attacks horizontally

Ransomware-as-a-service operations like Akira, BlackCat, and successors recruit affiliates who run their own campaigns. With 85 active extortion groups in 2025 according to Chainalysis, NC businesses face dozens of independent attackers, not a small cartel.

3. Edge device exposure remains high

Cybersecurity Dive reporting shows that hundreds of SonicWall firewalls remained vulnerable to known exploits months after patches were released. NC small businesses without dedicated security staff disproportionately operate aging edge devices with delayed patching cycles.

4. Backup and identity gaps persist

According to the StationX 2026 SMB cybersecurity statistics, 88% of SMB breaches involve ransomware, and most affected SMBs do not have tested immutable backups or phishing-resistant MFA. The gap between attacker capability and SMB defense is the proximate cause of the surge.

What is the financial impact on NC small businesses?

The financial impact on NC small businesses can range from $120,000 for a contained incident to over $3.3 million for a full breach with notification, regulatory, and litigation costs.

According to StrongDM's small business cybersecurity statistics:

Average breach cost for businesses with under 500 employees: $3.31 million
Recovery cost average: $120,000
Downtime cost: $53,000 per hour
Business closure rate within 6 months of major incident: 60%

NC-specific cost overlays include NCDOJ notification requirements, potential class-action exposure under NC's data protection statutes, and HIPAA penalties for healthcare-adjacent organizations. According to Astra Security research, the average total breach cost for SMBs reaches $254,445 even before regulatory and legal exposure.

What stops ransomware in 2026?

What stops ransomware in 2026 is a layered defense built around five pillars: identity, endpoint, network, backup, and rehearsed response. No single product is sufficient. The businesses that recover without paying share these characteristics.

Pillar 1: Identity hardening

Phishing-resistant MFA on every email, VPN, and admin account
Conditional access policies blocking impossible-travel and risky-device sign-ins
Privileged account separation (admin accounts must not also be email accounts)
Quarterly review of OAuth grants and service principals

Pillar 2: Endpoint detection and response (EDR)

Traditional antivirus does not stop modern ransomware. EDR provides behavioral detection, automated containment, and forensic visibility. Managed Detection and Response (MDR) on top of EDR delivers 24/7 monitoring without the cost of an internal SOC. Learn about PDC's endpoint protection services.

Pillar 3: Network and edge defense

Continuous patching of firewalls, VPN concentrators, and remote access gateways
Network segmentation isolating critical systems from general office traffic
DNS filtering blocking known malware command-and-control domains
24/7 monitoring of edge device logs for VPN brute force and authentication anomalies

Pillar 4: Tested, immutable backups (3-2-1-1-0)

The single most important determinant of ransomware survival is whether your backup architecture survives the attack. The 3-2-1-1-0 standard:

3 copies of every critical dataset
2 different storage media types
1 off-site copy (cloud or physical)
1 immutable copy (cannot be modified or encrypted)
0 errors confirmed via quarterly restoration tests

A backup that has never been restored is not a backup. Review PDC's backup and disaster recovery services.

Pillar 5: Rehearsed incident response

Documented incident response plans must be exercised. Annual tabletop exercises with leadership, IT, legal, and insurance contacts close gaps before an incident happens, when costs are 10x lower than during one.

What should NC small businesses do this quarter?

NC small businesses should run a 90-day defense improvement program now, prioritized to the controls that prevent ransomware in 2026.

Days 1-30: Foundation

Enforce MFA on all email, VPN, and administrator accounts
Replace traditional antivirus with EDR on all endpoints
Verify last successful backup restore test (if older than 90 days, schedule one immediately)
Patch all internet-facing devices to current firmware

Days 31-60: Visibility and segmentation

Audit OAuth grants and SaaS connections; revoke unused
Implement network segmentation between critical zones (production, management, guest, IoT)
Enable comprehensive audit logging across email, identity, and endpoints
Deploy DNS filtering on all networks

Days 61-90: Resilience

Deploy or validate immutable backup (air-gapped or WORM storage)
Document incident response plan with NCDOJ notification timelines
Run a 60-90 minute tabletop exercise with leadership
Review cyber insurance policy and confirm controls align to coverage requirements
Schedule annual penetration test or security assessment

Need help executing this plan? Talk to PDC about managed cybersecurity services.

What should you do if your NC business is hit by ransomware?

If your NC business is hit by ransomware, take six immediate actions in the first 60 minutes, before any decisions about payment or public statements:

Isolate affected systems at the network level (disable switch ports, VPN, or pull network cables)
Preserve evidence: do not power down systems if forensic analysis is feasible
Engage your incident response team or MSP immediately
Notify cyber insurance carrier before engaging any third-party negotiator (most policies require it)
Report to FBI IC3 at ic3.gov and to local FBI field office
Begin NCDOJ notification timeline assessment with legal counsel; NC requires notification of affected residents

Read PDC's ransomware recovery plan guide.

Why partner with Preferred Data Corporation?

Preferred Data Corporation has been protecting North Carolina businesses since 1987. We are not a national MSP routing tickets to a tier-1 queue; we are an NC company that lives, hires, and responds locally. Our managed cybersecurity practice is built around the threats actually documented in the NCDOJ breach report, not generic checklists.

PDC delivers:

24/7 managed detection and response with EDR coverage
Tested, immutable backup and disaster recovery
Managed firewall, VPN, and edge device patching
Identity hardening across Microsoft 365 and Google Workspace
Documented incident response plans with quarterly tabletop exercises
NCDOJ notification timeline support and cyber insurance coordination
On-site response within 200 miles of High Point

Key takeaway: The 50% YoY surge in NC ransomware is not a temporary spike; it is the new baseline. The 60% of breached small businesses that close within six months share preventable gaps. The 40% that survive share documented controls. The choice is which group your business joins.

About Preferred Data Corporation

Preferred Data Corporation (PDC) is a managed IT and cybersecurity provider headquartered at 1208 Eastchester Drive, Suite 131, High Point, NC 27265. Founded in 1987, PDC serves businesses across the Piedmont Triad, Research Triangle, and Charlotte regions with cybersecurity, managed IT, backup, network, and M&A advisory services.

Get a no-cost cybersecurity assessment:

Call <a href="tel:3368863282">(336) 886-3282</a>
Visit <a href="https://preferreddata.com/contact" target="_blank" rel="noopener noreferrer">preferreddata.com/contact</a>
Email <a href="mailto:[email protected]">[email protected]</a>

Frequently Asked Questions

How many ransomware attacks happened in North Carolina in 2024?

According to records obtained by WRAL Investigates from the NC Department of Justice 2024 Data Breach Report, approximately 1,215 ransomware incidents were reported in North Carolina in 2024, up from 843 in 2023. NCDOJ recorded 2,258 total organizational data breaches, a state record.

Which NC industries are most targeted?

Manufacturing, healthcare, professional services (legal, accounting, financial), local government, and education are the most-targeted NC industries. Mid-sized organizations (50-500 employees) absorb the majority of incidents because they share infrastructure profiles with enterprise targets but operate without equivalent defense budgets.

Should an NC business pay a ransom?

The FBI and most cyber insurance carriers recommend against paying. Payment does not guarantee data recovery, funds criminal operations, may violate OFAC sanctions if the actor is in a sanctioned jurisdiction, and according to Chainalysis, only 28% of victims paid in 2025. Most businesses with tested immutable backups and a documented response plan recover without paying.

Does NC require ransomware reporting?

NC requires notification to the NC Department of Justice and affected residents under state data breach law when personal information is involved. Healthcare organizations also face HIPAA federal notification timelines, and businesses serving residents of other states may have additional notification obligations.

How fast can a managed cybersecurity provider get an NC small business protected?

A focused managed cybersecurity engagement can deliver foundational protections (MFA, EDR, backup hardening, baseline policies) in 30 to 60 days. Full incident response readiness with tabletop exercises and 24/7 monitoring typically reaches steady state in 90 days. The first 30 days deliver the largest risk reduction.