On average, manufacturing companies lose $1.9 million per day to downtime from ransomware attacks

From 2018 to October 2024, 858 manufacturing companies suffered a confirmed ransomware attack. On average, this costs companies over $1.9 million per day of downtime, resulting in total estimated losses of $17 billion.

When a manufacturing company is hit with a ransomware attack, it can significantly impact its production lines, meaning customer orders cannot be fulfilled and day-to-day operations come to a standstill.

2023 proved that manufacturers aren’t immune to the growing threat of double-extortion ransomware attacks. A staggering 43.9 million records were compromised by such attacks in 2023. That’s more than 40 times higher than the 971,000 noted in 2022. 2023 also saw a resurgence in attacks on manufacturers: 194 confirmed in total, up from 109 in 2022.

To see how widespread attacks on the manufacturers are, and to estimate their true cost, we looked at each of the 858 attacks in detail. Using data from our worldwide ransomware tracker, we searched for reports on the amount of downtime caused, how much data was stolen, how much the ransom demands were, and whether or not these ransom demands were met.

Please note: while we may have logged a higher number of attacks in one country compared to another, this doesn’t necessarily mean it is more “targeted” by attackers. Rather, the awareness and reporting of such attacks may be more in-depth. For instance, data breach reporting tools and regulations in many US states help confirm these attacks. Those same tools and regulations don’t exist in many other countries.

Key findings:

From 2018 to October 2024, we found:

  • 858 confirmed ransomware attacks on manufacturing companies with 2020 and 2023 witnessing the most attacks (195 and 194 respectively)
  • Over 48.5 million individual records were breached as a result of these attacks–at least. 2023 accounts for nearly 91 percent of these
  • Since 2018, an average day of downtime costs a manufacturing company just over $1.9 million
  • Using the above, we estimate the total cost of these ransomware incidents is over $17 billion
  • Downtime varied from several hours to 129 days
  • On average, manufacturers lose 11.6 days to downtime resulting from ransomware attacks
  • Ransom demands varied from $5,000 to $200 million. The latter was demanded after LockBit’s attack on Boeing (which wasn’t paid)
  • On average, attackers demanded $10.7 million in ransom. Based on that figure, we can estimate that around $9.3 billion in ransom has been demanded in total
  • Manufacturers within the transportation/automotive sector saw the highest number of attacks (130), closely followed by those in food and beverage (124)
  • Egregor and Conti were the most dominant strains of ransomware in 2020 and 2021, respectively. LockBit dominated in 2022 and 2023. Play and Black Basta are dominating so far in 2024

The true cost of ransomware attacks on manufacturing companies

As we’ve already seen, ransom demands varied dramatically in the attacks we analyzed, varying from $5,000 to $200 million. However, in the majority of cases, companies don’t disclose the ransom demand (we found figures for just 64 of the 858 attacks) and are even less likely to admit they’ve paid the ransom (only eight companies have done this).

The top five largest ransom demands on the manufacturing sector:

  1. Boeing – $200 million: LockBit demanded $200 million from Boeing in October 2023. Boeing refused to pay and the gang released 43GB of data that it claimed to have stolen. The gang suggested Boeing did enter into negotiations at one time.
  2. Johnson Controls International – $51 million: Dark Angels hit the industrial equipment manufacturer in September 2023 and demanded $51 million. Johnson Controls didn’t confirm whether or not a ransom was paid but the attack caused widespread disruption for several months with recovery efforts costing the company $27 million.
  3. Quanta Computer Inc., Acer, E.M.I.T. Aviation Consulting Ltd., and Continental – $50 million: Throughout 2021 all four of these companies were hit with $50 million ransoms from REvil and LockBit. REvil demanded the amount from Acer in March 2021 and from Quanta Computer, Inc. in April 2021. Acer offered the hackers $10 million but was refused. In October 2021, LockBit hit E.M.I.T. Aviation Consulting Ltd after allegedly stealing 6TB of data. Then, in August 2022, it hit Continental with the same ransom–Continental refused to meet these demands.
  4. Foxconn Electronics – $34.7 million: In November 2020, DoppelPaymer infected Foxconn’s systems in North America with ransomware before demanding nearly $35 million in ransom. It took around nine days for the company to recover.
  5. Pierre Fabre – $25 million: Cosmetics brand, Pierre Fabre, suffered a REvil ransomware attack in March 2021 where the hackers demanded $25 million. When Pierre Fabre didn’t meet these demands, it upped the ransom to $50 million. The company was able to restore systems within 24 hours, however.

According to the data we were able to find:

  • Average ransom demand:
    • 2024 (to October) – $2.6m
    • 2023 – $16.5m
    • 2022 – $7m
    • 2021 – $17.5m
    • 2020 – $8.1m
    • 2019 – $6m
    • 2018 – $12,682
  • Ransom demanded (known cases):
    • 2024 (to October) – $23.5m (9 cases)
    • 2023 – $264.3m (16 cases)
    • 2022 – $84.2m (12 cases)
    • 2021 – $210.5m (12 cases)
    • 2020 – $96.8m (12 cases)
    • 2019 – $6m (1 case)
    • 2018 – $25,363 (2 cases)
  • Ransoms paid
    • 2024 (to October) – 0
    • 2023 – 1
    • 2022 – 1
    • 2021 – 3
    • 2020 – 3
    • 2019 – 0
    • 2018– 0

This demonstrates how extortionately high ransom demands are for the manufacturing sector. This is likely due to the fact that these organizations can ill afford system downtime that halts production and impacts sales.

Adding in downtime

Downtime is one of the biggest costs companies face when hit with ransomware. If an organization isn’t able to get back up and running quickly, the knock-on effect can have widespread consequences for the company. Not only can it lead to huge costs but, in some cases, company closure. For example, German machinery manufacturer, Schumag AG, recently filed for insolvency after a ransomware attack in September 2024 (and a drop in sales) led to financial difficulties.

To try and ascertain how much ransomware attacks have potentially cost manufacturing companies, we have used the overall ransomware recovery costs quoted by 34 entities. Using these amounts, we established an average downtime cost per day of $1,926,776.

The average cost per day across each year was as follows:

  • 2024 – $351,635 (5 known cases)
  • 2023 – $614,848 (10 known cases)
  • 2022 – $520,766 (7 known cases)
  • 2021 – $3,124,176 (2 known cases)
  • 2020 – $513,962 (5 known cases)
  • 2019 – $4,201,718 (4 known cases)
  • 2018 – $28,333,333 (1 known case)

Because there is such a huge variation in the above figures, we’ve used the overall average across all years ($1.9 million) in our estimations where individual costs are unavailable. Using this, we were able to estimate that the total cost of ransomware attacks on manufacturing organizations since 2018 is $17 billion.

Companies with the biggest reported recovery costs include:

  • Demant – $95 million: The Danish medical equipment manufacturer noted losses of $95 million following an attack in September 2019. It didn’t pay a ransom to an unknown group but still hadn’t recovered a month after the attack.
  • Taiwan Semiconductor Manufacturing Company – $85 million: The incident in August 2018 caused shipment delays and a loss of NT$2,596 million (US$85 million) but production was resumed after three days. TSMC was hit with the WannaCry variant.
  • WestRock – $79 million: In January 2021, the packaging manufacturer was hit by an attack that resulted in costs of $50 million due to lost sales and production and a further $29 million in recovery efforts in the subsequent months.
  • Norsk Hydro – $71.6 million: This March 2019 attack was expected to cost between NOK 800 million and NOK 1 billion (USD$71.6m to $89.5m). LockerGoga was responsible for the attack which caused a week of disruptions.
  • The Clorox Company – $57 million: The Clorox Company was attacked in August 2023 and experienced delays to order processing for over a month. The ransomware group remains unknown.

Sometimes, companies face additional costs due to lost sales but many are able to recoup these costs in the following months. Where this is noted in financial reports, these lost sales are not included in the above calculations. For example, SAF-Holland suffered lost sales of $40 million but these were mostly recuperated. It also noted $4 million in expenses for the cyber attack, which is the figure we’ve used.

Ransomware attacks on manufacturing companies by month and year

As we’ve already seen, 2023 saw a resurgence in ransomware attacks on the manufacturing industry. Attacks rose to 194 in 2023 from 109 in 2022. 2022 had previously seen a large dip in attacks (dropping from 195 and 189 in 2020 and 2021 respectively).

In previous years, the manufacturing sector hasn’t seen a large number of records impacted. But this changed in 2023 with 43.9 million impacted. This staggering total stems primarily from the three attacks on VF Corporation (35.5 million records affected), PharMerica/BrightSpring Health (5.8 million affected), and PurFoods, LLC/Mom’s Meals (1.2 million affected).

  • Number of attacks:
    • 2024 (to October) – 137
    • 2023 – 194
    • 2022 – 109
    • 2021 – 189
    • 2020 – 195
    • 2019 – 21
    • 2018 – 13
  • Number of records impacted:
    • 2024 (to October) – 1,602,528
    • 2023 – 43,910,730
    • 2022 – 970,730
    • 2021 – 1,785,691
    • 2020 – 229,781
    • 2019 – 7,222
    • 2018 – 1,165
  • Average downtime:
    • 2024 (to October) – 11.03 days
    • 2023 – 14.11 days
    • 2022 – 16.03 days
    • 2021 – 7.6 days
    • 2020 – 8.56 days
    • 2019 – 12.9 days
    • 2018 – 14 days
  • Estimated downtime caused (based on known cases and average in unknown):
    • 2024 (to October) – 1,511 days
    • 2023 – 2,737 days
    • 2022 – 1,747 days
    • 2021 – 1,429 days
    • 2020 – 1,669 days
    • 2019 – 271 days
    • 2018 – 182 days
  • Estimated cost of downtime:
    • 2024 (to October) – $2.8bn
    • 2023 – $4.6bn
    • 2022 – $2.8bn
    • 2021 – $2.8bn
    • 2020 – $3.1bn
    • 2019 – $517m
    • 2018 – $430m

Ransomware remains a key threat to manufacturing companies

So far this year, we’ve already confirmed 137 ransomware attacks on manufacturing companies across the globe. And with many of these attacks only becoming known several months after the attack, this figure will likely rise to reach 2023’s levels–if not higher. We also noted 704 unconfirmed attacks on this sector this year so far. Those include attacks that have been claimed by ransomware gangs but not acknowledged by targeted organizations.

1.6 million records have also been impacted across these attacks, highlighting the ongoing threat of data theft as well as system encryption. Companies with large data sets (like VF Corporation) and/or sensitive data (e.g. pharma companies) account for an outsized proportion of these records.

Methodology

Using the database from our ransomware attack map, our research found 858 manufacturing ransomware attacks in total. The data contains ransom amounts, whether or not ransoms were paid, and the downtime caused.

If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, then we created estimates from these figures based on the lowest figure they could be. For example, “several days” is three days, “one month” is the number of days in the month the attack happened, and the number of weeks quoted when talking about the recovery of a certain percentage of systems/production was used (e.g. six weeks per the previous example).

Due to the nature of manufacturing companies, we have only included downtime figures for lost production time (where available). Often, companies said that their systems had been impacted but operations/production remained at normal levels. In these cases, downtime was zero.

For a full list of sources, please see our worldwide ransomware tracker.

Data researcher: Charlotte Bond