Ransomware Attacks in Manufacturing Cost $1.3 Million Per Incident

Key Statistics for 2025

Nearly 2 in 3 manufacturing organizations were hit with ransomware in 2024, according to the latest available statistics from cybersecurity firm Sophos – the highest recorded rate in their reporting history. In its 2025 ransomware report, Sophos found that ransomware attacks cost manufacturers $1.3 million per incident, on average.

Here are some of the key statistics to know:

• 65% of surveyed manufacturers faced ransomware attacks in 2024.
• 40% of attacks in 2025 resulted in data encryption (a significant improvement from 74% in 2024).
• 51% of manufacturing companies paid the ransom in an attempt to restore their data.
• In 39% of attacks, attackers stole the data in addition to encrypting it.
• On average, a ransomware attack costs manufacturing companies $1.3 million per incident.

Why is ransomware in manufacturing so bad?

Manufacturing is a top target for ransomware attackers precisely because the attacks are so disruptive. When ransomware disrupts production, manufacturers are desperate to get their data back as quickly as possible. Otherwise, operations can be halted for days or weeks, resulting in staggering financial losses.

To minimize these risks, manufacturers are often willing to pay the ransom (even when there’s no guarantee that attackers will deliver the decryption key). This makes the industry very lucrative for attackers, along with other top-targeted sectors, like healthcare and finance.

A 2025 report by IBM found that manufacturing has been the most targeted industry for ransomware attacks for the past four years.

Manufacturing attack trends by year

Sophos’s latest statistics on ransomware in manufacturing show that attacks continue to increase each year, though the rate of increase has slowed in recent months. The 2024 report was based on survey responses from 332 manufacturing and production respondents across 17 countries.

The following figures show how the rate of attacks on manufacturing organizations has increased since 2021, based on responses from companies that said they were hit within the past year:

What’s causing the attacks?

As in any industry, ransomware can exploit numerous vulnerabilities to infect IT systems and spread laterally across a network. In manufacturing, these vulnerabilities are now the top root cause for attacks, representing 32% of incidents.

23 percent of manufacturing respondents said that their attacks stemmed from malicious emails, down from 29% in 2024.

Here’s a closer look at the most common causes of ransomware in manufacturing according to manufacturing IT professionals:

Another key takeaway from these figures is that human error is to blame for many of these attacks. When you combine the impact of compromised passwords, mishandling of malicious emails and user deception from phishing, a clear picture emerges. End users are making regrettable mistakes that allow ransomware to get past cybersecurity safeguards. These are mistakes that often can be prevented with more aggressive employee education and file-access controls. This applies not only to manufacturing companies but also to organizations across every industry.

Manufacturers struggle to stop attacks

Some manufacturing organizations are able to thwart ransomware attacks before data is encrypted. But the rate of that success varies across the industry.

In 2023, only 27% of manufacturers said they blocked the ransomware from locking their data. That’s down from 38% in 2022 and 42% in 2021. These figures are actually better than most other industries, according to Sophos’s research. However, the declining rate of success indicates that attacks are employing more sophisticated methods to bypass cybersecurity systems and encrypt data before organizations can stop it.

A silver lining: 91% of manufacturing organizations that had data encrypted said they recovered it, either from data backup or paying the ransomware.

How do some companies stop ransomware from encrypting files?

One key method is isolating the infected devices from the network, so that the ransomware cannot spread to servers or primary file storage. File-access restrictions are another effective method, as they prevent the ransomware from accessing critical files.

Additionally, some disaster recovery systems, such as the Datto SIRIS backup, feature built-in ransomware detection. Every backup is scanned for signs of ransomware, enabling administrators to take action at the first sign of an infection, before data is destroyed.

How much ransom do manufacturers pay?

Nearly all ransomware attacks are driven by financial gain. Attackers hold your data ransom, promising to restore it if you pay up (typically via untraceable cryptocurrency). There’s no certainty that hackers will hold up their end of the bargain, which is one of several reasons why federal law enforcement advises against paying the ransom. But many companies do it anyway, often because they have no other viable option for data recovery.

The new findings from Sophos reveal:

• 51% of manufacturers that suffered a ransomware attack paid the ransom to get their data back.
• 7% of manufacturing companies said their ransom payment matched the initial demand. 49% paid less than the demand, while 13% paid more.

Manufacturing companies are doing a better job at ignoring attackers’ demands than in previous years (62% said they paid up in 2024). But still over half are paying their attackers, suggesting that their other recovery options are not as good.

How much are they paying? In 2025, the ransoms paid by manufacturing companies averaged more than $1 million, according to Sophos – down from $1.2 million in 2024.

Use of data backups in manufacturing

Data backups remain the most critical failsafe against ransomware. They allow companies to restore their files back to an earlier state, effectively recovering their systems and eliminating the infection.

58% of manufacturing companies used data backups to restore data after a ransomware attack, according to the report. This is down from 73% just two years prior.

Cost of recovery

Even when you exclude the cost of ransom payments, recovering from a ransomware attack is very costly for most manufacturing companies.

In 2025, manufacturers spent an average of $1.3 million on recovery per attack, not including any ransom payments – down from $1.7 million in 2024 and below the global average of $1.5 million.

The business impact of ransomware on manufacturing

On top of direct recovery costs, manufacturers can incur a wide range of other financial losses from a ransomware attack. Disrupted operations can lead to a direct loss of revenue. Plus, employee wages are effectively wasted if workers are unable to work due to system downtime. If the operational disruption also reverberates to the customer experience, then the attack can also cause lasting reputational damage.

In prior years, Sophos asked manufacturers to report the impact of ransomware attacks on their business:

• 44% of manufacturing companies said they lost “a little business/revenue”
• 32% said they lost “a lot of business/revenue”

While some manufacturers were fortunate to experience little to no business impact from a ransomware attack, the majority suffered losses.

Examples of ransomware attacks in manufacturing

The figures above help to identify important trends in the manufacturing industry, but they reveal only part of the story. To understand the real impact of ransomware on a manufacturing company, it helps to take a closer look at some of the individual incidents.

The following case studies represent only a few of the many recent ransomware attacks in manufacturing.

1) Jaguar Land Rover (JLR)

The August 2025 attack on Jaguar Land Rover is arguably the most disastrous ransomware attack in the manufacturing industry in recent years. The attack forced the automaker to halt production at its factories around the world, costing tens of millions of dollars and causing a supply-chain disaster.

What we know

• The attack caused a global production standstill for JLR, with downtime stretching beyond a month.
• Estimates suggest the attack could cost the company £1.9 billion, with weekly losses topping £50 million during the peak of the disruption.
• The impact of the attack was so wide-ranging, parts suppliers were forced to lay off workers.
• While full details are not yet public, the hacker group behind the attack (Scattered Lapsus$ Hunters) has a history of using vishing (voice phishing) to impersonate company insiders and deceive employees into providing their credentials.

2) MKS Instruments

In February 2023, ransomware hit Massachusetts-based MKS Instruments – a global provider of instruments and services for the manufacturing industry. The incident disrupted the company’s ability to produce and supply its products and ultimately forced it to suspend operations at some facilities.

What we know

• The attack directly caused a 20% decrease in quarterly revenue: more than $200 million in Q1 losses alone, plus the likelihood that future quarters would be affected too.
• Within the company’s photonics and vacuum divisions, the attack blocked its ability to process orders and ship products. Customer service operations were also suspended.
• On top of these financial losses, a former employee has led a class-action lawsuit against MKS, claiming that personal identifying information was compromised due to “negligent cybersecurity” at the company.
• The impact of the attack reverberated through the supply chain, affecting other companies. Chip maker Applied Materials subsequently announced $250 million in losses “related to a cybersecurity event recently announced by one of our suppliers,” which most analysts interpreted as the MKS attack.

3) Brunswick Corporation

Brunswick – a leading marine industry manufacturer in Illinois – announced in June 2023 that they had suffered a major cyberattack that disrupted operations. Company officials did not explicitly describe the nature of the attack, but most analysts agreed it was likely ransomware.

What we know

• As of August 2023, company officials estimated the attack would cost at least $85 million.
• Brunswick was forced to halt operations in some of its facilities.
• Law enforcement agencies reportedly assisted the company during the attack.
• It took 9 days for the company to restore its operations.

4) Dole

Food giant Dole announced in February 2023 that a ransomware attack had forced the company to shut down production plants in North America. The company did not initially report the attack until major grocery chains revealed that it was causing product shortages at their stores.

What we know

• The attack caused Dole-made salad kits to disappear from store shelves for days, according to CNN.
• Company officials eventually revealed the attack caused it to “shut down our systems throughout North America.”
• The attack cost the company $10 million in direct costs, officials revealed in its quarterly earnings report.
• Roughly half of Dole’s legacy company’s servers (and a quarter of its end-user computers) were affected by the attack.

Recommended Tools for Ransomware Prevention & Recovery

For manufacturers and companies in any industry, stopping ransomware requires a multilayered strategy that incorporates advanced cybersecurity, data backup and employee training. Here are the solutions we recommend most for 2026:

• Datto SIRIS: Datto SIRIS is an all-in-one business continuity and disaster recovery (BCDR) solution designed to minimize downtime from any data-loss event, especially ransomsware. It combines local backup with redundant immutable cloud storage and the ability to virtualize servers instantly, allowing production lines to keep running even during a ransomware incident.
• RocketCyber MDR: RocketCyber is a 24/7 Managed Detection and Response service that covers the gap between potential breaches and actual damage. It combines advanced threat detection with a dedicated Security Operations Center (SOC) to actively hunt, detect and isolate threats before they can encrypt your data.
• BullPhish ID: BullPhish is a security awareness training platform that strengthens your “human firewall.” By delivering automated phishing simulations and training, it educates employees on how to spot the social engineering tactics often used to launch manufacturing-targeted attacks.

Conclusion

Ransomware is one of the biggest cybersecurity threats to manufacturing companies today, as it can lock up critical data, disable IT infrastructure and lead to costly production stoppages. It’s for this reason that manufacturing is the most targeted industry for ransomware: the worse the attack, the more likely a company will pay the ransom to get their data back.

Manufacturers can defend against ransomware – eliminate the risk of extortion – by implementing robust business continuity and disaster recovery strategies. This includes the use of advanced cybersecurity, routine user training and a dependable data backup system that can rapidly recover data after an attack.

Protect your operations from ransomware

See how your organization can protect against ransomware and other data-loss disasters with hybrid cloud data backup solutions from Datto. Schedule a call with one of our data protection specialists at Invenio IT or request Datto SIRIS pricing to learn more. You can also reach us directly at (646) 395-1170 or success@invenioIT.com.