Ransomware attacks on US manufacturing and utility businesses cost $5.53bn in 2022

In 2022, 60 manufacturing and utility businesses were struck by ransomware attacks, which resulted in the compromise of more than 500,000 records. We estimate that these attacks cost manufacturing and utility entities more than $5.53 billion in downtime alone.

Manufacturers and utilities have experienced a vast number of ransomware attacks since 2018. Most of them occurred during the pandemic, and attacks towards the end of 2020 spiraled out of control (September 2020 saw 22 attacks alone). While ransomware attacks, in general, are destructive, the impact on manufacturers and utility providers can be even more detrimental, causing major waiting times in production, losses in sales, power cuts, delayed payments, and even company closures.

For example, the recent attack on MKS Instruments in February 2023 is not only forecast to have cost the company at least $200 million in lost revenue but has also had a potential knock-on effect on its customers. Chip manufacturer Applied Materials reported that it may see a downfall of $250 million, while Ultra Clean Holdings anticipates its quarterly revenues will take a $30 million hit as a result of the attack on MKS.

So, what is the true cost of these ransomware attacks on manufacturing and utility sectors in the US, how has the ransomware threat changed over the last few years, and what has happened so far in 2023?

To find out, our team of researchers collated data on all of the publicly confirmed ransomware attacks affecting manufacturers and utilities since 2018. We used state reporting tools, data breach reports, company press releases, and specialist IT news to gather as much data on these attacks as possible. Then, we utilized all of the available information on ransoms paid and downtime caused to create estimates on the likely impact of these attacks.

Unfortunately, many organizations try to refrain from reporting that they have suffered a ransomware attack unless disrupted systems and/or breached data force them to do so. Therefore, our data only includes publicly reported attacks and likely only scratches the surface of the problem.

Key findings

In 2022:

60 individual ransomware attacks on manufacturers and utilities–a 36 percent decrease from 2021 (94)
514,574 individual records were impacted–a small decrease from 2021 (595,791)
Ransomware amounts varied from $250,000 to $60 million
Downtime varied from a matter of hours (thanks to frequent data backups) to weeks of inaccessible systems
On average, manufacturers and utilities experienced more than 7.4 days of downtime, which accounted for an estimated 443 total days of downtime
Hackers demanded more than $65 million across just four attacks and received payment in two of these attacks (totaling $550,000)
We estimate the overall cost of these attacks is around $5.53 billion
LockBit, BlackBasta, and Conti were the most prolific hackers (where the entity disclosed the hacker name or the hacker claimed responsibility for the attack)

Which state had the most ransomware attacks on manufacturers & utility providers in 2022?

As we can see from the map below, California had the most ransomware attacks (12) with 20 percent of the total in 2022. But this is perhaps expected due to it being home to a large number of manufacturing companies in general. Ohio was the state with the second-largest number of attacks with five attacks in 2022. More than half of the states in the US (29) reported at least one ransomware attack on a manufacturing/utility organization in 2022.

There’s a similar pattern when it comes to the number of records affected, too. California saw the most records impacted (167,307). These records come from two attacks–one on food manufacturer Reiter Affiliated Companies in which 93,000 records were affected, and one on manufacturing company Nvidia in which more than 71,000 records were compromised. The latter was carried out by the LAPSUS$ ransomware gang and resulted in two days of downtime.

Ohio and South Dakota were the only two other states that had more than 100,000 records affected (137,425 and 113,718 respectively).

If we compare the number of records affected by organizations within the manufacturing and utility sectors, these figures are often significantly lower than some other sectors. For example, in 2022, financial organizations saw over 3 million records affected as a result of ransomware attacks, according to our ransomware tracker.

Data held by financial institutions will often hold more value (on the dark web) than some of the customer data held by manufacturing/utility companies. This, therefore, suggests that hackers are targeting manufacturers/utility providers in the hope of causing large-scale disruption to their systems, rather than stealing vast quantities of data. By impacting day-to-day operations, hackers likely increase their chances of securing a ransom payment.

How much did these ransomware attacks cost manufacturers and utilities in 2022?

As we have already noted, ransom demands varied significantly in 2022, ranging from $250,000 to $65 million. Equally, only a few entities released the exact ransom demand–we noted just four cases out of 60. This is due to organizations not wanting to disclose these figures and whether or not they’ve paid them as it could make them a target for future attacks.

Below are the known ransom demands:

Intrado (December 2022 – $60 million) – After being hit with the Royal ransomware strain, hackers demanded $60 million from the company and threatened to release data if the ransom wasn’t paid. Intrado hasn’t confirmed whether it negotiated with the hackers.
JAKKS Pacific, Inc. (December 2022 – $5 million) – Two ransomware groups joined forces for this attack (ALPHV/BlackCat and Hive) and both agreed to split the $5 million ransom if it was paid. However, JAKKS Pacific refused to pay and did not negotiate with either group. It believed it could restore its systems and said it suffered minimal impact.
KFI Engineers (December 2022 – $300,000) – KFI Engineers agreed to pay $300,000 to the BlackBasta ransomware group to avoid the publication of sensitive data. With clients such as schools and hospitals, the organization negotiated with the hackers to prevent 1.1 TB of data from being published on the dark web.
Narragansett Bay Commission (July 2022 – $250,000) – Systems were brought back online “within a matter of hours” after the commission agreed to pay a quarter of a million dollars in ransom to an unknown threat actor.

Adding in downtime

Although the lack of data surrounding ransom demands makes it difficult to determine how much has been lost to these attacks, there is a cost that most of these organizations face–downtime.

When systems are encrypted, services can go down for hours, weeks, or months at a time. In the worst cases, some systems and data cannot be recovered.

According to the downtimes reported in eight of the attacks in 2022, manufacturers and utilities suffered an average downtime of 7.4 days. Downtime relates to companies restoring systems and networks that have been shut down. Using these figures, we estimate that ransomware attacks caused 443 days (over 10,000 hours) of downtime in 2022 alone.

So what costs did manufacturers and utility providers face as a result of this downtime?

According to a 2017 study, the average downtime cost per minute across 20 different industries is $8,662. This would therefore suggest that the 2022 cost of downtime to manufacturers and utility providers was $5.53 billion. Although high, it’s almost half the $9.6 billion estimated cost in 2021. Even though the average downtime in 2021 was only slightly lower than 2022’s figure (8.19 days), the greater number of attacks meant far higher costs were incurred.

Downtime on these types of organizations has decreased since 2019, however. In 2019, manufacturing and utility businesses lost 17.4 days. In 2020, this dropped to 12 days. This decrease in downtime could demonstrate a positive trend, suggesting organizations are getting quicker at recovering systems (perhaps due to better backups being in place). However, due to the lack of data surrounding ransom payments, quicker recovery times could be due to organizations paying for decryption keys to return their systems to normal.

For example, the large-scale ransomware attack on Colonial Pipeline Company saw the company paying $4.4 million to DarkSide hackers after a 6-day outage. Had they not paid the ransom, the downtime costs may have escalated way further than the ransom payment cost.

These figures, while astronomical, are in line with some of the costs organizations have disclosed, some as recently as the last few weeks:

As we’ve already seen, MKS Instruments Inc. has disclosed that the attack they suffered could cost a minimum of $200 million in lost or delayed sales. The attack was first identified on February 3, 2023, and, at the time of writing, recovery efforts are ongoing, suggesting disruptions will continue throughout March.
Packaging manufacturer, the Ardagh Group, suffered a $34 million financial loss in May 2021 due to key systems going offline, which caused significant delays in production.
Steelcase, a furniture giant, suffered two weeks of downtime in October 2020 that put $60 million worth of shipments on hold. What’s more, its Q3 financial earnings report mentioned $6 million in losses as a result of the ransomware attack.

Key findings from January 2018 to February 2023:

From January 2018 to February 2023, we tracked all of the publicly reported ransomware attacks on manufacturing and utility companies. During this time:

285 individual manufacturers and utility providers were targeted by ransomware attacks
1,377,465 records have been affected as a result
Manufacturers/utility providers have suffered an estimated 2,780 days of downtime due to these attacks
Ransom requests varied from $19,200 to $60 million
Hackers have demanded an estimated $2.1 billion in ransom
Hackers have received at least $16.45 million in ransom payments with the average payment being $3.29m
We estimate that downtime has cost manufacturing/utility organizations $34.7 billion

Ransomware attack costs on manufacturing and utility businesses by year

	TOTALS			2022			2021			2020			2019			2018
State	Attacks	# of Records Affected	Cost of Downtime	Attacks	# of Records Affected	Cost of Downtime	Attacks	# of Records Affected	Cost of Downtime	Attacks	# of Records Affected	Cost of Downtime	Attacks	# of Records Affected	Cost of Downtime	Attacks	# of Records Affected	Cost of Downtime
Alabama	5	44	514,772,266	0	0	0	2	44	176,995,843	2	0	300,356,582	1	0	37,419,840	0	0	0
Alaska	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
Arizona	5	29,239	1,265,538,989	0	0	0	2	28,747	204,312,326	2	492	300,356,582	1	0	760,870,080	0	0	0
Arkansas	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
California	36	237,679	4,537,779,264	12	167,307	1,009,088,352	8	35,364	817,249,306	14	31,238	2,382,147,014	1	3,421	217,035,072	1	349	112,259,520
Colorado	5	3,617	244,226,822	1	0	92,177,539	2	3,617	152,049,283	1	0	0	0	0	0	0	0	0
Connecticut	5	3,100	702,869,328	0	0	0	1	3,100	102,156,163	4	0	600,713,165	0	0	0	0	0	0
Delaware	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
District of Columbia	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
Florida	7	111,696	839,202,278	2	0	184,355,078	2	103,813	204,312,326	3	7,883	450,534,874	0	0	0	0	0	0
Georgia	10	56,042	933,625,008	2	3,353	129,597,379	5	52,240	491,197,766	2	0	300,356,582	1	449	12,473,280	0	0	0
Hawaii	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
Idaho	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
Illinois	18	121,381	2,364,809,155	3	2,780	396,400,838	6	98,661	730,560,010	6	19,940	901,069,747	0	0	0	3	0	336,778,560
Indiana	3	300	402,512,746	0	0	0	1	300	102,156,163	2	0	300,356,582	0	0	0	0	0	0
Iowa	4	275	494,690,285	1	275	92,177,539	1	0	102,156,163	2	0	300,356,582	0	0	0	0	0	0
Kansas	1	0	150,178,291	0	0	0	0	0	0	1	0	150,178,291	0	0	0	0	0	0
Kentucky	3	530	300,356,582	0	0	0	0	0	0	3	530	300,356,582	0	0	0	0	0	0
Louisiana	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
Maine	3	192	306,593,222	1	62	92,177,539	1	130	102,156,163	0	0	0	0	0	0	1	0	112,259,520
Maryland	5	104,806	551,568,442	2	1,919	184,355,078	1	0	0	1	102,800	150,178,291	1	87	217,035,072	0	0	0
Massachusetts	17	22,084	1,910,906,496	2	1,937	184,355,078	7	17,774	675,303,379	7	2,373	1,051,248,038	0	0	0	0	0	0
Michigan	12	15,375	1,685,888,525	1	660	92,177,539	3	1,550	306,468,490	8	13,165	1,287,242,496	0	0	0	0	0	0
Minnesota	7	2,604	935,246,534	2	0	184,355,078	0	0	0	5	2,604	750,891,456	0	0	0	0	0	0
Mississippi	1	0	1,559,160	0	0	0	1	0	1,559,160	0	0	0	0	0	0	0	0	0
Missouri	6	6,809	600,588,432	1	3,500	92,177,539	4	3,309	408,624,653	1	0	99,786,240	0	0	0	0	0	0
Montana	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
Nebraska	4	3,984	436,689,533	2	3,983	184,355,078	1	1	102,156,163	1	0	150,178,291	0	0	0	0	0	0
Nevada	4	149	506,789,366	0	0	0	1	0	102,156,163	2	0	187,598,131	1	149	217,035,072	0	0	0
New Hampshire	3	1,740	296,489,866	1	0	92,177,539	2	1,740	204,312,326	0	0	0	0	0	0	0	0	0
New Jersey	10	76,304	1,165,628,016	0	0	0	7	74,198	715,093,142	3	2,106	450,534,874	0	0	0	0	0	0
New Mexico	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
New York	12	10,798	1,599,822,893	3	1,543	276,532,618	4	8,680	393,781,450	3	575	450,534,874	2	0	478,973,952	0	0	0
North Carolina	8	13,173	1,128,956,573	1	0	92,177,539	1	3,567	374,198,400	4	5,587	537,847,834	1	3,203	12,473,280	1	816	112,259,520
North Dakota	1	0	174,625,920	0	0	0	0	0	0	1	0	174,625,920	0	0	0	0	0	0
Ohio	12	145,550	1,336,511,952	5	137,425	460,887,696	3	8,125	208,054,310	3	0	450,534,874	1	0	217,035,072	0	0	0
Oklahoma	4	40,019	456,646,781	0	0	0	3	26,176	306,468,490	1	13,843	150,178,291	0	0	0	0	0	0
Oregon	1	3,710	92,177,539	1	3,710	92,177,539	0	0	0	0	0	0	0	0	0	0	0	0
Pennsylvania	10	10,040	1,286,244,634	1	747	92,177,539	3	5,656	306,468,490	5	3,637	775,339,085	0	0	0	1	0	112,259,520
Puerto Rico	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
Rhode Island	1	0	1,559,160	1	0	1,559,160	0	0	0	0	0	0	0	0	0	0	0	0
South Carolina	3	22,859	291,625,286	1	22,859	87,312,960	2	0	204,312,326	0	0	0	0	0	0	0	0	0
South Dakota	2	113,718	184,355,078	2	113,718	184,355,078	0	0	0	0	0	0	0	0	0	0	0	0
Tennessee	5	1,500	864,024,106	1	0	87,312,960	2	1,049	476,354,563	2	451	300,356,582	0	0	0	0	0	0
Texas	24	93,449	3,002,942,160	2	0	316,696,579	9	82,337	817,249,306	11	10,659	1,651,961,203	1	453	217,035,072	0	0	0
Utah	3	2,722	344,511,994	1	0	92,177,539	1	897	102,156,163	1	1,825	150,178,291	0	0	0	0	0	0
Vermont	1	192	92,177,539	1	192	92,177,539	0	0	0	0	0	0	0	0	0	0	0	0
Virginia	2	14,371	194,333,702	1	71	92,177,539	1	14,300	102,156,163	0	0	0	0	0	0	0	0	0
Washington	10	51,427	1,070,955,821	3	1,312	276,532,618	4	19,319	343,888,330	3	30,796	450,534,874	0	0	0	0	0	0
West Virginia	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
Wisconsin	11	55,987	1,143,924,509	3	47,221	276,532,618	3	1,097	266,678,726	4	7,669	600,713,165	0	0	0	0	0	0
Wyoming	1	0	261,938,880	0	0	0	0	0	0	1	0	261,938,880	0	0	0	0	0	0

Totals:	285	1,377,465	34,675,843,133	60	514,574	5,530,714,718	94	595,791	9602741707	109	258,173	16,369,184,275	11	7,762	2,387,385,792	7	1,165	785,816,640

How does 2022 compare to previous years?

From 2018 to 2019, the manufacturing/utility sectors suffered just 18 ransomware attacks combined (seven in 2018 and 11 in 2019). However, in 2020, the number of attacks rose exponentially to 109 and only declined slightly in 2021 to 95. In 2022, this figure dropped even further to 60, but this mirrors the overall trend we have witnessed in ransomware attacks across the majority of sectors.

Manufacturing and utility companies are still a key target due to the mass disruption that these types of attacks can cause. While data theft is relatively low across these sectors (when compared to others), it is the system downtime that perhaps reap the most rewards for hackers.

Number of attacks:
- 2022 – 60
- 2021 – 94
- 2020 – 109
- 2019 – 11
- 2018 – 7
Number of records impacted:
- 2022 – 514,574
- 2021 – 595,791
- 2020 – 258,173
- 2019 – 7,762
- 2018 – 1,165
Average downtime:
- 2022 – 7.39 days
- 2021 – 8.19 days
- 2020 – 12.04 days
- 2019 – 17.4 days
- 2018 – 9 days
Downtime caused (known cases):
- 2022 – 59 days (8 cases)
- 2021 – 147.4 days (18 cases)
- 2020 – 156.5 days (13 cases)
- 2019 – 87 days (5 cases)
- 2018 – 18 days (2 cases)
Estimated downtime caused (based on known cases and average in unknown):
- 2022 – 443 days
- 2021 – 770 days
- 2020 – 1,312 days
- 2019 – 191 days
- 2018 – 63 days
Estimated cost of downtime:
- 2022 – $5.53bn
- 2021 – $9.6bn
- 2020 – $16.4bn
- 2019 – $2.4bn
- 2018 – $786m
Average ransom amount
- 2022 – $16.39m
- 2021 – $6m
- 2020 – $4.5m
- 2019 – $6m
- 2018 – N/A
Ransom amounts demanded (known cases)
- 2022 – $65.6m (4 cases)
- 2021 – $17.9m (3 cases)
- 2020 – $22.7m (5 cases)
- 2019 – $6m (1 case)
- 2018 – N/A
Ransom amounts paid (known cases)
- 2022 – $550,000 (2 cases)
- 2021 – $15.4m (2 cases)
- 2020 – $500,000 (1 case)
- 2019 – N/A
- 2018 – N/A

How is 2023 looking for ransomware attacks on manufacturing and utility businesses?

2023 has already seen four reported ransomware attacks on entities within the manufacturing and utilities sector. With the year only just creeping into March, it is likely more breaches and attacks will be confirmed over the coming weeks and months.

The four confirmed ransomware attacks are Messer Cutting Systems, Inc. (January), Dish Networks (February), Encino Energy (February), and MKS Instruments (February).

As we have already explored, the attack on MKS Instruments, Inc. is having a devastating impact not only on MKS Instruments but a number of its customers. This highlights the ongoing threat and disruption these types of attacks can have on all organizations and manufacturers and utility providers in particular.

Dish Networks also reported a “multi-day outage” due to its ransomware attack, while Encino Energy said it hadn’t suffered any impact following its attack from ALPHV/BlackCat. However, the hackers have allegedly stolen 400 GB of data from the company.

What all of these most recent hacks and all of the data we’ve collated suggests is that ransomware attacks on manufacturers and utility providers can have a widespread impact, not only on the individual companies that are targeted but also the customers and businesses that utilize their services. Manufacturers and utilities are going to want to restore their systems as quickly as possible, which could increase the chances of them paying a ransom. Equally, if ransoms aren’t paid, they will likely suffer huge costs when trying to recover their systems.

Methodology

Our research found 285 ransomware attacks in total affecting manufacturers and utilities. From this, we were able to ascertain how much ransom had been demanded, how much had been paid, and how much downtime had been caused as a result of the attacks. We then used the figures we were able to find to create estimates (an average per year) for the amount of downtime caused by a ransomware attack and applied this to the business entities where no downtime figures were available. Then, using an average cost per minute of downtime ($8,662) from a 2017 report, we were then able to create estimates for how much disruptions to production and system outages may have cost.

For a full list of sources, please see our US ransomware tracker.

Data researcher: Charlotte Bond