ransomware attacks on the manufacturing industry have cost the world economy $46bn in downtime alone

From 2018 to July 2023, 478 manufacturing companies suffered a confirmed ransomware attack, losing an estimated $46.2 billion in downtime alone.

When a manufacturing company is hit with a ransomware attack, it can significantly impact its production lines, meaning customer orders cannot be fulfilled and day-to-day operations come to a standstill.

To look at how widespread these types of attacks on the manufacturing sector are and to find out their true cost, we looked at each of the 478 attacks in detail. Using data from our worldwide ransomware tracker, we searched for reports on the amount of downtime caused, how much data was stolen, how much the ransom demands were, and whether or not these ransom demands were met.

Please note: while we may have logged a higher number of attacks in one country compared to another, this doesn’t necessarily mean it is more “targeted” by attackers. Rather, the awareness and reporting of such attacks may be more in-depth. For instance, data breach reporting tools and regulations in many US states help confirm these attacks. Those same tools and regulations don’t exist in many other countries.

Key findings:

From 2018 to July 2023, we found:

  • 478 confirmed ransomware attacks on manufacturing companies with 2020 witnessing the most attacks (167 in total)
  • More than 7.5 million individual records were breached as a result of these attacks–at least
  • Ransom demands varied from $5,000 to $50 million
  • On average, hackers demanded $11.2 million, suggesting around $5.5 billion in ransom has been demanded in total
  • Only four companies are known to have paid the ransom but many organizations will withhold this information in fear it makes them more vulnerable to these attacks. A confirmed $750,000 was paid across two of these attacks
  • Downtime varied from several hours to 76 days
  • The average downtime from attacks increased in 2022 to 12.2 days from 6.4 days in 2021
  • The overall cost of downtime is estimated at $46.2bn
  • Manufacturers within the transportation/automotive sector saw the highest number of attacks (92), closely followed by electronics/appliances manufacturers (80)
  • Egregor and Conti were the most dominant strains of ransomware in 2020 and 2021 (respectively) with LockBit dominating in 2022 and 2023 (so far)

Food and beverage organizations (such as food producers, agricultural companies, and beverage organizations) aren’t included within this data set. We collate these in their own category and have produced a separate report on the food and beverage sector here. Manufacturers of equipment for the food sector are included in this study, however.

Ransomware attacks on manufacturing companies by month and year

As we’ve already seen, 2020 was the biggest year for ransomware attacks on manufacturing organizations with 167 in total. It was closely followed by 2021 with 148.

2022 saw a big dip in the number of attacks with around half of 2020’s total (81) noted. With 55 recorded up until the end of July 2023, it seems as though ransomware attacks on the manufacturing sector are on the uptick again this year. This mirrors the overall trend we are seeing across other industries, too.

Another thing to note is the higher number of records breached in these attacks. Around 5.9 million records have already been confirmed as breached in ransomware attacks from January to July 2023. The vast majority of these were involved in the attack on pharmaceutical company, PharMerica. The ransomware team Money Message breached the organization’s system in March 2023, potentially impacting 5,815,591 individuals’ records.

The number of records impacted in breaches on manufacturing companies is lower than in other sectors (we recently noted a total loss of 32.3 million records in the finance sector from 2018 to June 2023, for example). But that doesn’t mean data theft isn’t a motive for ransomware hackers. Even though encryption and disruption of manufacturing processes is arguably a more impactful way to try and secure a ransom against these companies, the recent attack on PharMerica shows how manufacturing organizations with sensitive data (e.g. a pharmaceutical company with healthcare info) remain a high-ticket prize for cybercriminals.

  • Number of attacks:
    • 2023 (to July) – 55
    • 2022 – 81
    • 2021 – 148
    • 2020 – 167
    • 2019 – 15
    • 2018 – 12
  • Number of records impacted:
    • 2023 (to July) – 5,867,627
    • 2022 – 655,270
    • 2021 – 856,376
    • 2020 – 148,535
    • 2019 – 7,222
    • 2018 – 1,165
  • Average downtime:
    • 2023 (to July) – 6.9 days
    • 2022 – 12.2 days
    • 2021 – 6.4 days
    • 2020 – 6.8 days
    • 2019 – 8.2 days
    • 2018 – 11 days
  • Downtime caused (known cases):
    • 2023 (to July) – 138 days (20 cases)
    • 2022 – 341 days (28 cases)
    • 2021 – 244 days (38 cases)
    • 2020 – 204 days (30 cases)
    • 2019 – 49 days (6 cases)
    • 2018 – 55 days (5 cases)
  • Estimated downtime caused (based on known cases and average in unknown):
    • 2023 (to July) – 380 days
    • 2022 – 988 days
    • 2021 – 948 days
    • 2020 – 1,136 days
    • 2019 – 123 days
    • 2018 – 132 days
  • Estimated cost of downtime:
    • 2023 (to July) – $4.7bn
    • 2022 – $12.3bn
    • 2021 – $11.8bn
    • 2020 – $14.2bn
    • 2019 – $1.5bn
    • 2018 – $1.65bn

The true cost of ransomware attacks on manufacturing companies

Ransom demands varied dramatically in the attacks we analyzed, varying from $5,000 to $50 million. This staggering amount of $50 million wasn’t a one-off, either. It was demanded four times from REvil and LockBit (twice each). REvil demanded $50m from Acer in March 2021 and $50m from Quanta Computer, Inc. in April 2021. Acer offered the hackers $10 million but this was rejected.

In October 2021, LockBit hit E.M.I.T. Aviation Consulting Ltd and demanded $50m after allegedly stealing 6TB of data. Then, in August 2022, it hit Continental with a $50m ransom–Continental refused to meet these demands.

Other large ransoms include:

  • Foxconn Electronics — $34.7 million: In November 2020, DoppelPaymer infected Foxconn’s systems in North America with ransomware before demanding nearly $35 million in ransom.
  • Pierre Fabre — $25 million: Cosmetics brand, Pierre Fabre, suffered a REvil ransomware attack in March 2021 where the hackers demanded $25 million. When Pierre Fabre didn’t meet these demands, it upped the ransom to $50 million.
  • Compal Electronics: $17 million: DoppelPaymer attacked Compal Electronics in November 2020 before demanding $16.7 million (the price of 1,100 bitcoins at the time).

According to the data we were able to find:

  • Average ransom demand:
    • 2023 (to July) – $1.7m
    • 2022 – $8.8m
    • 2021 – $21.9m
    • 2020 – $8.9m
    • 2019 – $6m
    • 2018 – $5,000
  • Ransom demanded (known cases):
    • 2023 (to June) – $6.7m (4 cases)
    • 2022 – $79.1m (9 cases)
    • 2021 – $196.9m (9 cases)
    • 2020 – $80.3 million (9 cases)
    • 2019 – $6m (1 case)
    • 2018 – $5,000 (1 case)

This demonstrates how extortionately high ransom demands are for the manufacturing sector. This is likely due to the fact that these organizations can ill afford system downtime that halts production and impacts sales.

Adding in downtime

Downtime is one of the biggest costs companies face when hit with ransomware. If an organization isn’t able to get back up and running quickly, the knock-on effect can have widespread consequences for the company. Not only can it lead to huge costs but, in some cases, company closure. For example, when Clestra Hauserman (a French building material manufacturer) was attacked in April 2022, it affected the organization’s production for seven weeks and cost the company $2 to $3 million. This ultimately led to the company going into receivership.

Using all of the available data, we have been able to estimate the true cost of downtime on the manufacturing sector. And according to a report in 2017, the average cost of downtime (across 20 different industries) is $8,662 per minute. This suggests that manufacturers around the world have lost an estimated $46.2 billion to downtime from ransomware attacks.

While this may seem high, other figures suggest this could be an underestimate of the overall cost. For example, The True Cost of Downtime report from Senseye Predictive Maintenance puts the average cost of a ransomware attack on a large automotive company at over $2 million per hour, equating to $33,333 per minute. However, as our study covers a number of companies, large and small, we have chosen to opt for the lower figure.

Other specific examples include the recent attack on MKS Instruments, Inc. which is reported to have cost the company a hit in revenue of $200 million. SAF-Holland, which was attacked by ALPHV/BlackCat in March 2023, also noted losses of sales worth $40 million.

In August 2018, Taiwan Semiconductor Manufacturing Company (TSMC) was hit by WannaCry and lost $170 million in revenue. Just last month, it looked as though it had been hacked again with LockBit demanding $70 million. But TSMC has since confirmed it was one of its hardware suppliers that was breached.

Ransomware remains a key threat to manufacturing companies

55 confirmed attacks were confirmed on manufacturing organizations so far this year, with an average of one week of downtime per attack. Ransomware attacks remain a key threat for this sector going forward. Not only that, but attacks via third parties have widespread consequences on all industries. These include the recent attacks on Fortra and MOVEit (these are only included in our worldwide ransomware tracker as single attacks, so each victim isn’t logged separately).

Impacting production may be a key focus for attacks on this industry, but we are seeing an increase in the data stolen via these attacks, meaning companies with sensitive data (e.g. pharma companies) are particularly vulnerable.

Methodology

Using the database from our ransomware attack map, our research found 478 manufacturing ransomware attacks in total. From this data, we were able to determine ransom amounts, whether or not ransoms were paid, and the downtime caused.

If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, then we created estimates from these figures based on the lowest figure they could be. For example, “several days” is three days, “one month” is the number of days in the month the attack happened, and the number of weeks quoted when talking about the recovery of a certain percentage of systems/production was used (e.g. six weeks per the previous example).

Due to the nature of manufacturing companies, we have only included downtime figures for lost production time (where available). Often, companies said that their systems had been impacted but operations/production remained at normal levels. In these cases, downtime was zero.

For a full list of sources, please see our worldwide ransomware tracker.