Ransomware hammers manufacturing sector
Ransomware attacks on manufacturers are skyrocketing. For cybercriminals, the sector sits at a sweet spot on the risk-reward continuum.
The manufacturing sector is increasingly bearing the brunt of ransomware attacks, ranking as the most-targeted sector in separate analyses from researchers at NordStellar, KELA, ZeroFox, GuidePoint Security and Dragos.
The reason is simple, according to experts: Ransomware operators want to maximize reward while minimizing effort and risk. In short, manufacturers are easy targets because their highly interconnected IT/operational technology (OT) systems are built on vulnerable legacy equipment, and their low tolerance for production delays motivates them to pay to end attacks. Just over half of manufacturing victims made ransom payments in 2025, according to a recent Sophos survey. The median amount was $1 million, and 18% of payments were $5 million or more.
"Disruptions in manufacturing that result in shutting down production systems are extremely costly," said Paul Furtado, analyst at Gartner. He added that the interconnected nature of supply chains means a ransomware attack on one supplier often has cascading effects on its partners, their partners and so on -- giving attackers additional leverage and further incentivizing victims to meet attackers' demands.
Take, for example, the 2022 ransomware attack on one of Toyota Motor Company's third-party suppliers. The incident at Kojima Industries -- a manufacturer of interior and exterior automotive components, such as steering wheel parts -- in turn forced Toyota to halt production across all 14 of its Japanese factories.
Motive and means: Valuable data and vulnerable infrastructure
If time is money for a manufacturer -- with every moment of downtime hurting the bottom line -- its data are the crown jewels.
"Manufacturers are guardians of trade secrets," Furtado said, explaining that their proprietary engineering designs and production processes make them particularly susceptible to data theft.
Sophos found that 40% of ransomware attacks on manufacturing organizations in 2025 resulted in data encryption, 16% involved encryption and data theft, and another 10% were extortion-only ransomware attacks in which attackers stole manufacturers' data and threatened to expose it online. Extortion-only attacks against manufacturers are rising, up from just 3% the previous year.
From a technical perspective, the manufacturing sector is an easy target because its systems and industrial equipment were not designed for the current era of IoT and IT/OT convergence. While connecting legacy OT to enterprise IT systems has enormous business benefits, it also carries significant security risks. Forty-two percent of manufacturing organizations that Sophos surveyed said unknown security gaps contributed to their recent ransomware attacks, and 41% cited inadequate security protections.
"Because of an inherent trust that's been a staple of OT networking for so long, once you cross from IT into OT, you often have much broader access to systems than you would in a mature IT security environment," said Paddy Harrington, analyst at Forrester. "An attacker just has to find their way across the bridge, if you will, and the doors are often wide open."
For attackers, manufacturing is a low-risk target
Although ransomware gangs also regularly target other critical infrastructure sectors, including energy, healthcare, telecom and transportation, "manufacturing leads by a mile," according to Harrington.
That's partly because non-nation-state operators want money, not trouble. And while manufacturers deal in material goods, other critical infrastructure sectors have inherently higher stakes.
Attacks on energy corporations and healthcare providers, for example, could result in loss of life -- which would, in turn, invite heightened law enforcement scrutiny and public ire. And that, Harrington added, is bad for business. "You've just painted a big target on yourself for law enforcement or even military action, and they'll actively hunt you," he said.
How manufacturers can mitigate ransomware risk
Harrington said he has seen growing interest among manufacturing firms in improving OT security, from basic asset discovery to more sophisticated strategies such as the following:
- Risk posture management.
- Network segmentation.
- Secure remote access for OEM partners.
- Threat detection and response.
- Endpoint security tools, such as endpoint protection platforms, endpoint detection and response, and extended detection and response.
"Companies are getting pushback from the OEMs if they try and use anything other than a couple sanctioned solutions," Harrington said. But, he added, as responsibility for OT security increasingly shifts to CISOs, they need better tools to adequately manage ransomware risk.
Alissa Irei is senior site editor of Informa TechTarget Security.
