In 2022, 60 manufacturing and utility businesses were struck by ransomware attacks, which resulted in the compromise of more than 500,000 records. We estimate that these attacks cost manufacturing and utility entities more than $5.53 billion in downtime alone.
Manufacturers and utilities have experienced a vast number of ransomware attacks since 2018. Most of them occurred during the pandemic, and attacks towards the end of 2020 spiraled out of control (September 2020 saw 22 attacks alone). While ransomware attacks, in general, are destructive, the impact on manufacturers and utility providers can be even more detrimental, causing major waiting times in production, losses in sales, power cuts, delayed payments, and even company closures.
For example, the recent attack on MKS Instruments in February 2023 is not only forecast to have cost the company at least $200 million in lost revenue but has also had a potential knock-on effect on its customers. Chip manufacturer Applied Materials reported that it may see a downfall of $250 million, while Ultra Clean Holdings anticipates its quarterly revenues will take a $30 million hit as a result of the attack on MKS.
So, what is the true cost of these ransomware attacks on manufacturing and utility sectors in the US, how has the ransomware threat changed over the last few years, and what has happened so far in 2023?
To find out, our team of researchers collated data on all of the publicly confirmed ransomware attacks affecting manufacturers and utilities since 2018. We used state reporting tools, data breach reports, company press releases, and specialist IT news to gather as much data on these attacks as possible. Then, we utilized all of the available information on ransoms paid and downtime caused to create estimates on the likely impact of these attacks.
Unfortunately, many organizations try to refrain from reporting that they have suffered a ransomware attack unless disrupted systems and/or breached data force them to do so. Therefore, our data only includes publicly reported attacks and likely only scratches the surface of the problem.
- 60 individual ransomware attacks on manufacturers and utilities–a 36 percent decrease from 2021 (94)
- 514,574 individual records were impacted–a small decrease from 2021 (595,791)
- Ransomware amounts varied from $250,000 to $60 million
- Downtime varied from a matter of hours (thanks to frequent data backups) to weeks of inaccessible systems
- On average, manufacturers and utilities experienced more than 7.4 days of downtime, which accounted for an estimated 443 total days of downtime
- Hackers demanded more than $65 million across just four attacks and received payment in two of these attacks (totaling $550,000)
- We estimate the overall cost of these attacks is around $5.53 billion
- LockBit, BlackBasta, and Conti were the most prolific hackers (where the entity disclosed the hacker name or the hacker claimed responsibility for the attack)
Which state had the most ransomware attacks on manufacturers & utility providers in 2022?
As we can see from the map below, California had the most ransomware attacks (12) with 20 percent of the total in 2022. But this is perhaps expected due to it being home to a large number of manufacturing companies in general. Ohio was the state with the second-largest number of attacks with five attacks in 2022. More than half of the states in the US (29) reported at least one ransomware attack on a manufacturing/utility organization in 2022.
There’s a similar pattern when it comes to the number of records affected, too. California saw the most records impacted (167,307). These records come from two attacks–one on food manufacturer Reiter Affiliated Companies in which 93,000 records were affected, and one on manufacturing company Nvidia in which more than 71,000 records were compromised. The latter was carried out by the LAPSUS$ ransomware gang and resulted in two days of downtime.
Ohio and South Dakota were the only two other states that had more than 100,000 records affected (137,425 and 113,718 respectively).
If we compare the number of records affected by organizations within the manufacturing and utility sectors, these figures are often significantly lower than some other sectors. For example, in 2022, financial organizations saw over 3 million records affected as a result of ransomware attacks, according to our ransomware tracker.
Data held by financial institutions will often hold more value (on the dark web) than some of the customer data held by manufacturing/utility companies. This, therefore, suggests that hackers are targeting manufacturers/utility providers in the hope of causing large-scale disruption to their systems, rather than stealing vast quantities of data. By impacting day-to-day operations, hackers likely increase their chances of securing a ransom payment.
How much did these ransomware attacks cost manufacturers and utilities in 2022?
As we have already noted, ransom demands varied significantly in 2022, ranging from $250,000 to $65 million. Equally, only a few entities released the exact ransom demand–we noted just four cases out of 60. This is due to organizations not wanting to disclose these figures and whether or not they’ve paid them as it could make them a target for future attacks.
Below are the known ransom demands:
- Intrado (December 2022 – $60 million) – After being hit with the Royal ransomware strain, hackers demanded $60 million from the company and threatened to release data if the ransom wasn’t paid. Intrado hasn’t confirmed whether it negotiated with the hackers.
- JAKKS Pacific, Inc. (December 2022 – $5 million) – Two ransomware groups joined forces for this attack (ALPHV/BlackCat and Hive) and both agreed to split the $5 million ransom if it was paid. However, JAKKS Pacific refused to pay and did not negotiate with either group. It believed it could restore its systems and said it suffered minimal impact.
- KFI Engineers (December 2022 – $300,000) – KFI Engineers agreed to pay $300,000 to the BlackBasta ransomware group to avoid the publication of sensitive data. With clients such as schools and hospitals, the organization negotiated with the hackers to prevent 1.1 TB of data from being published on the dark web.
- Narragansett Bay Commission (July 2022 – $250,000) – Systems were brought back online “within a matter of hours” after the commission agreed to pay a quarter of a million dollars in ransom to an unknown threat actor.
Adding in downtime
Although the lack of data surrounding ransom demands makes it difficult to determine how much has been lost to these attacks, there is a cost that most of these organizations face–downtime.
When systems are encrypted, services can go down for hours, weeks, or months at a time. In the worst cases, some systems and data cannot be recovered.
According to the downtimes reported in eight of the attacks in 2022, manufacturers and utilities suffered an average downtime of 7.4 days. Downtime relates to companies restoring systems and networks that have been shut down. Using these figures, we estimate that ransomware attacks caused 443 days (over 10,000 hours) of downtime in 2022 alone.
So what costs did manufacturers and utility providers face as a result of this downtime?
According to a 2017 study, the average downtime cost per minute across 20 different industries is $8,662. This would therefore suggest that the 2022 cost of downtime to manufacturers and utility providers was $5.53 billion. Although high, it’s almost half the $9.6 billion estimated cost in 2021. Even though the average downtime in 2021 was only slightly lower than 2022’s figure (8.19 days), the greater number of attacks meant far higher costs were incurred.
Downtime on these types of organizations has decreased since 2019, however. In 2019, manufacturing and utility businesses lost 17.4 days. In 2020, this dropped to 12 days. This decrease in downtime could demonstrate a positive trend, suggesting organizations are getting quicker at recovering systems (perhaps due to better backups being in place). However, due to the lack of data surrounding ransom payments, quicker recovery times could be due to organizations paying for decryption keys to return their systems to normal.
For example, the large-scale ransomware attack on Colonial Pipeline Company saw the company paying $4.4 million to DarkSide hackers after a 6-day outage. Had they not paid the ransom, the downtime costs may have escalated way further than the ransom payment cost.
These figures, while astronomical, are in line with some of the costs organizations have disclosed, some as recently as the last few weeks:
- As we’ve already seen, MKS Instruments Inc. has disclosed that the attack they suffered could cost a minimum of $200 million in lost or delayed sales. The attack was first identified on February 3, 2023, and, at the time of writing, recovery efforts are ongoing, suggesting disruptions will continue throughout March.
- Packaging manufacturer, the Ardagh Group, suffered a $34 million financial loss in May 2021 due to key systems going offline, which caused significant delays in production.
- Steelcase, a furniture giant, suffered two weeks of downtime in October 2020 that put $60 million worth of shipments on hold. What’s more, its Q3 financial earnings report mentioned $6 million in losses as a result of the ransomware attack.
Key findings from January 2018 to February 2023:
From January 2018 to February 2023, we tracked all of the publicly reported ransomware attacks on manufacturing and utility companies. During this time:
- 285 individual manufacturers and utility providers were targeted by ransomware attacks
- 1,377,465 records have been affected as a result
- Manufacturers/utility providers have suffered an estimated 2,780 days of downtime due to these attacks
- Ransom requests varied from $19,200 to $60 million
- Hackers have demanded an estimated $2.1 billion in ransom
- Hackers have received at least $16.45 million in ransom payments with the average payment being $3.29m
- We estimate that downtime has cost manufacturing/utility organizations $34.7 billion
Ransomware attack costs on manufacturing and utility businesses by year
|State||Attacks||# of Records Affected||Cost of Downtime||Attacks||# of Records Affected||Cost of Downtime||Attacks||# of Records Affected||Cost of Downtime||Attacks||# of Records Affected||Cost of Downtime||Attacks||# of Records Affected||Cost of Downtime||Attacks||# of Records Affected||Cost of Downtime|
|District of Columbia||0||0||0||0||0||0||0||0||0||0||0||0||0||0||0||0||0||0|
How does 2022 compare to previous years?
From 2018 to 2019, the manufacturing/utility sectors suffered just 18 ransomware attacks combined (seven in 2018 and 11 in 2019). However, in 2020, the number of attacks rose exponentially to 109 and only declined slightly in 2021 to 95. In 2022, this figure dropped even further to 60, but this mirrors the overall trend we have witnessed in ransomware attacks across the majority of sectors.
Manufacturing and utility companies are still a key target due to the mass disruption that these types of attacks can cause. While data theft is relatively low across these sectors (when compared to others), it is the system downtime that perhaps reap the most rewards for hackers.
- Number of attacks:
- 2022 – 60
- 2021 – 94
- 2020 – 109
- 2019 – 11
- 2018 – 7
- Number of records impacted:
- 2022 – 514,574
- 2021 – 595,791
- 2020 – 258,173
- 2019 – 7,762
- 2018 – 1,165
- Average downtime:
- 2022 – 7.39 days
- 2021 – 8.19 days
- 2020 – 12.04 days
- 2019 – 17.4 days
- 2018 – 9 days
- Downtime caused (known cases):
- 2022 – 59 days (8 cases)
- 2021 – 147.4 days (18 cases)
- 2020 – 156.5 days (13 cases)
- 2019 – 87 days (5 cases)
- 2018 – 18 days (2 cases)
- Estimated downtime caused (based on known cases and average in unknown):
- 2022 – 443 days
- 2021 – 770 days
- 2020 – 1,312 days
- 2019 – 191 days
- 2018 – 63 days
- Estimated cost of downtime:
- 2022 – $5.53bn
- 2021 – $9.6bn
- 2020 – $16.4bn
- 2019 – $2.4bn
- 2018 – $786m
- Average ransom amount
- 2022 – $16.39m
- 2021 – $6m
- 2020 – $4.5m
- 2019 – $6m
- 2018 – N/A
- Ransom amounts demanded (known cases)
- 2022 – $65.6m (4 cases)
- 2021 – $17.9m (3 cases)
- 2020 – $22.7m (5 cases)
- 2019 – $6m (1 case)
- 2018 – N/A
- Ransom amounts paid (known cases)
- 2022 – $550,000 (2 cases)
- 2021 – $15.4m (2 cases)
- 2020 – $500,000 (1 case)
- 2019 – N/A
- 2018 – N/A
How is 2023 looking for ransomware attacks on manufacturing and utility businesses?
2023 has already seen four reported ransomware attacks on entities within the manufacturing and utilities sector. With the year only just creeping into March, it is likely more breaches and attacks will be confirmed over the coming weeks and months.
The four confirmed ransomware attacks are Messer Cutting Systems, Inc. (January), Dish Networks (February), Encino Energy (February), and MKS Instruments (February).
As we have already explored, the attack on MKS Instruments, Inc. is having a devastating impact not only on MKS Instruments but a number of its customers. This highlights the ongoing threat and disruption these types of attacks can have on all organizations and manufacturers and utility providers in particular.
Dish Networks also reported a “multi-day outage” due to its ransomware attack, while Encino Energy said it hadn’t suffered any impact following its attack from ALPHV/BlackCat. However, the hackers have allegedly stolen 400 GB of data from the company.
What all of these most recent hacks and all of the data we’ve collated suggests is that ransomware attacks on manufacturers and utility providers can have a widespread impact, not only on the individual companies that are targeted but also the customers and businesses that utilize their services. Manufacturers and utilities are going to want to restore their systems as quickly as possible, which could increase the chances of them paying a ransom. Equally, if ransoms aren’t paid, they will likely suffer huge costs when trying to recover their systems.
Our research found 285 ransomware attacks in total affecting manufacturers and utilities. From this, we were able to ascertain how much ransom had been demanded, how much had been paid, and how much downtime had been caused as a result of the attacks. We then used the figures we were able to find to create estimates (an average per year) for the amount of downtime caused by a ransomware attack and applied this to the business entities where no downtime figures were available. Then, using an average cost per minute of downtime ($8,662) from a 2017 report, we were then able to create estimates for how much disruptions to production and system outages may have cost.
For a full list of sources, please see our US ransomware tracker.
Data researcher: Charlotte Bond