Businesses Hide Vast Majority of Ransomware Attacks, Report Finds

The BlackFog threat‑intelligence report reveals a staggering gap between publicly disclosed ransomware incidents and those kept hidden. In Q1 2026, analysts identified 2,160 attacks that never surfaced, nearly ten times the 264 disclosed cases. This underreporting skews industry metrics, hampers risk‑assessment models, and gives a false sense of progress. Companies often conceal breaches to protect brand reputation, avoid regulatory penalties, or because insurers demand nondisclosure. As a result, executives and policymakers lack a true picture of the threat landscape, complicating efforts to allocate resources and craft effective cyber‑resilience strategies.

Geography and sector data underscore where the danger concentrates. U.S. organizations bore half of the hidden attacks and more than 60 % of the reported ones, confirming the country’s status as the primary ransomware playground. Among undisclosed incidents, manufacturing accounted for over 20 % of victims, reflecting the sector’s reliance on legacy OT systems and supply‑chain interdependencies. Conversely, healthcare dominated disclosed breaches, with 27 % of cases, likely driven by the high value of patient records. Notably, 96 % of reported attacks involved data exfiltration, highlighting extortion through leaked information as a core profit driver.

The report also flags a shift in the cyber‑crime toolkit. Tools such as the Venom Stealer, delivered via the ClickFix infection chain, turn routine social engineering into a continuous data‑theft pipeline, while the Lotus C2 framework offers plug‑and‑play command‑and‑control capabilities that lower the technical barrier for less sophisticated actors. Simultaneously, the rise of “shadow AI” – unsanctioned AI applications proliferating across enterprises – creates new attack surfaces, as 49 % of employees use unapproved AI tools. Organizations must tighten governance around AI adoption and invest in detection mechanisms to counter these evolving threats.