Data Protection Tool

Ransomware Attacks in Manufacturing on the Rise [2024 Report]

Picture of David Mezic

David Mezic

Chief Technology Officer @ Invenio IT


Ransomware Attacks in Manufacturing

A new report confirms that ransomware attacks in manufacturing are continuing to disrupt production lines across the globe.

More than half of manufacturing organizations were hit with ransomware in the last year, according to the new findings from cybersecurity firm Sophos. That figure represents another uptick from the year prior, indicating that the industry remains a top target for attackers.

Here are some of the key findings from the 2023 report:

  • Ransomware struck 56% of manufacturing companies surveyed between January and March 2023.
  • More than a third of manufacturers paid the ransom in an attempt to get their data back.
  • Only 1 in 4 companies were able to thwart the attacks before their data was fully encrypted.
  • In 32% of attacks, attackers stole the data in addition to encrypting it.

In this post, we look at why ransomware attacks in manufacturing have become so common, along with strategies for data backup, recovery and other findings from the report.

Why is ransomware in manufacturing so bad?

Manufacturing is a top target for attackers precisely because the attacks are so disruptive. When ransomware disrupts production, manufacturers are desperate to get their data back as quickly as possible. Otherwise, operations can be halted for days or weeks, resulting in staggering financial losses.

To minimize these risks, manufacturers are often willing to pay the ransom (even when there’s no guarantee that attackers will deliver the decryption key). This makes the industry very lucrative for attackers, along with other top-targeted sectors, like healthcare and finance.

A 2023 report by IBM found that manufacturing has been the most targeted industry for ransomware attacks for the past two years.

An increasing trend

Sophos’s latest statistics on ransomware in manufacturing show that attacks continue to increase each year, though the rate of increase has slowed in recent months. The 2023 report was based on survey responses from 363 IT and cybersecurity leaders within the manufacturing and production industries, across 14 countries in the Americas, EMEA and Asia Pacific.

The following figures show how the rate of attacks on manufacturing organizations has increased since 2021, based on responses from companies that said they were hit within the past year:

2023 2022 2021
56% 55% 36%

While attacks only increased slightly from 2022, the stats are still concerning for the industry. More than half of manufacturers are being compromised by ransomware every year.

What’s causing the attacks?

As in any industry, ransomware can exploit numerous vulnerabilities to infect IT systems and spread laterally across a network. But the most common method of delivery, by far, is email.

41% of manufacturing respondents said that their attacks stemmed from malicious emails or phishing. That’s a notable increase over the cross-industry average of 30%. As the report states, this suggests that “manufacturing and production is particularly exposed to email-based attacks.”

Here’s a closer look at the most common causes of ransomware in manufacturing according to manufacturing IT professionals:

Compromised credentials 27%
Exploited vulnerability 24%
Malicious email 21%
Phishing 20%
Brute force attack 5%
Infected downloads 5%

Another key takeaway from these figures is that human error is to blame for many of these attacks. When you combine the impact of compromised passwords, mishandling of malicious emails and user deception from phishing, a clear picture emerges. End users are making regrettable mistakes that allow ransomware to get past cybersecurity safeguards. These are mistakes that often can be prevented with more aggressive employee education and file-access controls. This applies not only to manufacturing companies but also organizations across every industry.

Manufacturers are increasingly struggling to stop attacks

Some manufacturing organizations are able to thwart ransomware attacks before data is encrypted. But the rate of that success has been declining every year, according to Sophos.

In 2023, only 27% of manufacturers said they blocked the ransomware from locking their data. That’s down from 38% in 2022 and 42% in 2021. These figures are actually better than most other industries, according to Sophos’s research. However, the declining rate of success indicates that attacks are employing more sophisticated methods to bypass cybersecurity systems and encrypt data before organizations can stop it.

How do some companies stop ransomware from encrypting files?

One key method is isolating the infected devices from the network, so that the ransomware cannot spread to servers or primary file storage. File-access restrictions are another effective method, as they prevent the ransomware from accessing critical files.

Additionally, some data backup systems, such as the Datto SIRIS, feature built-in ransomware detection. This enables administrators to take action at the first sign of an infection, before data is destroyed.

Ransom payments

Nearly all ransomware attacks are driven by financial gain. Attackers hold your data ransom, promising to restore it if you pay up (typically via untraceable cryptocurrency). There’s no certainty that hackers will hold up their end of the bargain, which is one of several reasons why federal law enforcement advises against paying the ransom. But many companies do it anyway, often because it’s they have no other viable option for data recovery.

The new findings from Sophos reveal:

  • 34% of manufacturers that suffered a ransomware attack paid the ransom to get their data back
  • Across all industries, 46% of organizations paid their attackers for the decryption key

Manufacturing companies are doing a better job at ignoring attackers’ demands than other companies. But still 1 in 3 are paying up, suggesting that their other recovery options are not as good.

How much are they paying? In 2023, the ransoms paid by manufacturing companies averaged more than $1.2 million, according to Sophos.

Use of data backups in manufacturing

Data backups remain the most critical failsafe against ransomware. They allow companies to restore their files back to an earlier state, effectively recovering their systems and eliminating the infection.

73% of manufacturing companies used data backups to restore data after a ransomware attack, according to the report. This is up from 58% in 2022, indicating that organizations have gotten more aggressive in implementing dependable disaster recovery solutions.

Cost of recovery

Even when you exclude the cost of ransom payments, recovering from a ransomware attack is very costly for most manufacturing companies.

In 2023, manufacturers spent an average of $1.08 million on recovery per attack, not including any ransom payments. This is a staggering sum, but thankfully it has been trending downward over the past few years: $1.23 million in 2022; $1.52 million in 2021. This defies the trend across all industries, which increased from $1.4 million in 2022 to $1.82 million in 2023.

The business impact of ransomware on manufacturing

On top of direct recovery costs, manufacturers can incur a wide range of other financial losses from a ransomware attack. Disrupted operations can lead to a direct loss of revenue. Plus, employee wages are effectively wasted if workers are unable to work due to system downtime. If the operational disruption also reverberates to the customer experience, then the attack can also cause lasting reputational damage.

Sophos asked manufacturers to report the impact of ransomware attacks on their business:

  • 44% of manufacturing companies said they lost “a little business/revenue”
  • 32% said they lost “a lot of business/revenue”

While some manufacturers were fortunate to experience little to no business impact from a ransomware attack, the majority suffered losses.

Examples of ransomware attacks in manufacturing

The figures above help to identify important trends in the manufacturing industry, but they reveal only part of the story. To understand the real impact of ransomware on a manufacturing company, it helps to take a closer look at some of the individual incidents.

The following case studies represent only a few of the many recent ransomware attacks in manufacturing.

1) MKS Instruments

In February 2023, ransomware hit Massachusetts-based MKS Instruments – a global provider of instruments and services for the manufacturing industry. The incident disrupted the company’s ability to produce and supply its products and ultimately forced it to suspend operations at some facilities.

What we know

  • The attack directly caused a 20% decrease in quarterly revenue: more than $200 million in Q1 losses alone, plus the likelihood that future quarters would be affected too.
  • Within the company’s photonics and vacuum divisions, the attack blocked its ability to process orders and ship products. Customer service operations were also suspended.
  • On top of these financial losses, a former employee has led a class-action lawsuit against MKS, claiming that personal identifying information was compromised due to “negligent cybersecurity” at the company.
  • The impact of the attack reverberated through the supply chain, affecting other companies. Chip maker Applied Materials subsequently announced $250 million in losses “related to a cybersecurity event recently announced by one of our suppliers,” which most analysts interpreted as the MKS attack.

2) Brunswick Corporation

Brunswick – a leading marine industry manufacturer in Illinois – announced in June 2023 that they had suffered a major cyberattack that disrupted operations. Company officials did not explicitly describe the nature of the attack, but most analysts agreed it was likely ransomware.

What we know

  • As of August 2023, company officials estimated the attack would cost at least $85 million.
  • Brunswick was forced to halt operations in some of its facilities.
  • Law enforcement agencies reportedly assisted the company during the attack.
  • It took 9 days for the company to restore its operations.

3) Dole

Food giant Dole announced in February 2023 that a ransomware attack had forced the company to shut down production plants in North America. The company did not initially report the attack until major grocery chains revealed that it was causing product shortages at its stores.

What we know

  • The attack caused Dole-made salad kits to disappear from store shelves for days, according to CNN.
  • Company officials eventually revealed the attack caused it to “shut down our systems throughout North America.”
  • The attack cost the company $10 million in direct costs, officials revealed in its quarterly earnings report.
  • Roughly half of Dole’s legacy company’s servers (and a quarter of its end-user computers) were affected by the attack.


Ransomware is one of the biggest cybersecurity threats to manufacturing companies, as it can lock up critical data, disable IT infrastructure and lead to costly production stoppages. It’s for this reason that manufacturing is the most targeted industry for ransomware: the worse the attack, the more likely a company will pay the ransom to get their data back.

Manufacturers can defend against ransomware – eliminate the risk of extortion – by implementing robust business continuity and disaster recovery strategies. This includes the use of a dependable data backup system that can rapidly recover data after an attack and help the manufacturer resume business as usual.

Protect your operations from ransomware

See how your organization can protect against ransomware and other data-loss disasters with hybrid cloud data backup solutions from Datto. Request a free demo or speak to our experts at Invenio IT today. Call (646) 395-1170 or email

Get the Ultimate Guide to Data Loss Prevention & Recovery for SMBs
Invenio it logo

Join 23,000+ readers in the Data Protection Forum

Related Articles