On average, US manufacturing organizations lose $1.3m per day to downtime from ransomware attacks

Since 2018, there have been 351 ransomware attacks on US manufacturing organizations. On average, each day of downtime lost to these attacks has cost $1.3 million per day.

In total, we estimate these attacks have cost US manufacturers over $870 million.

US manufacturers have experienced a vast number of publicly-confirmed ransomware attacks since 2018. Attacks peaked during the pandemic with 89 attacks in 2020 and 84 in 2021 before dipping in 2022 to 54. 2023, however, saw a record-breaking number with 92 registered in total.

While ransomware attacks, in general, are destructive, the impact on manufacturers can be even more detrimental, causing delays in production, losses in sales, power cuts, missed payments, and even company closures.

Data breaches have become a growing concern following these types of attacks. The number of records impacted in these attacks also skyrocketed in 2023. Just under 2.2 million records were affected–nearly four times 2022’s figure of just over 550,000 and more than half the overall total since 2018 (3.6 million).

Below, we dive into the true cost of ransomware attacks on manufacturing companies in the US. Using the data collated through our US tracker of publicly confirmed ransomware attacks since 2018, we’ve explored the amount of downtime, the average cost of downtime, and ransom demands on the manufacturing sector.

Unfortunately, many organizations try to refrain from reporting that they have suffered a ransomware attack unless disrupted systems and/or breached data force them to do so. Therefore, our data only includes publicly reported attacks and likely only scratches the surface of the problem.

Key findings

From the beginning of 2018 to April 2024, our research found:

  • 351 individual ransomware attacks on US manufacturing companies. 2023 saw the highest number in total with 92 attacks
  • 3,598,164 individual records were affected in these attacks–at least. 2023 accounted for 61 percent of this total (2.2 million)
  • Since 2018, an average day of downtime costs manufacturing companies just under $1.3 million
  • We estimate the total cost of these ransomware incidents exceeds $870 million
  • Downtime varied from a couple of hours of disruption to several months of systems not being at full capacity
  • On average, manufacturers have lost 17 days to downtime following ransomware attacks
  • Ransom demands varied from $100,000 to $200 million. The latter was recently demanded from LockBit following its attack on Boeing
  • ALPHV/BlackCat and Black Basta carried out the most known attacks in 2023. Black Basta, Conti, LockBit, Royal, and Hive all dominated in 2022, while Conti, Maze, and DoppelPaymer accounted for most attacks in 2021 and 2020

The true cost of ransomware attacks on US manufacturing companies

As we have already noted, ransom demands have varied significantly, ranging from $100,000 to a whopping $200 million. Equally, only a few victims disclosed the exact ransom demand—just 12 cases out of all 351 attacks. Organizations might not want to disclose ransom amounts and whether or not they’ve paid them because doing so could make them a target for future attacks.

As well as the Boeing ransom demand noted above, here are some of the other biggest known ransom demands:

  • JBS USA Holdings Inc. (May 2021 – $11 million): This isn’t just the second-largest ransom demand on a US manufacturing company but it’s also the biggest known ransom payment. After being hit with REvil ransomware, meat supplier JBS chose to pay its attackers to ensure the stolen data was deleted.
  • Kimchuk, Inc. (March 2020 – $10 million): Kimchuk refused to pay DoppelPaymer $10 million after it infiltrated its systems in March 2020. As a result, DoppelPaymer began releasing the stolen data on the dark web.
  • Southwire Company, LLC (December 2019 – $6 million): Maze hit the Georgia-based company in late 2019 and demanded $6 million which Southwire refused to pay. Systems were impacted for around a day and 449 people were issued data breach letters.

Based on the figures we do have available, we know:

  • Average ransom demand:
    • 2024 (to April) – $2.5 million
    • 2023 – $100 million (due to the Boeing attack)
    • 2022 – N/A
    • 2021 – $4.5 million
    • 2020 – $3.2 million
    • 2019 – $6 million
    • 2018 – N/A
  • Ransom demanded (known cases):
    • 2024 (to April) – $5 million (2 cases)
    • 2023 – $200.1 million (2 cases)
    • 2022 – N/A
    • 2021 – $13.6 million (3 cases)
    • 2020 – $12.7 million (4 cases)
    • 2019 – $6 million (1 case)
    • 2018 – N/A

The above highlights how known ransom demands have increased in recent years. As we have previously mentioned, data surrounding ransom demands is limited. This is due to many organizations being unwilling to disclose the ransom demanded in fear it will leave them open to future attacks/encourage hackers. Often, if ransom demands aren’t met, ransomware groups will reveal how much they’re demanding as they post the company to their data leak sites and threaten to release the data.

For example, over the last year, 15 ransom demands on US manufacturing companies were published by ransomware groups, for which the companies themselves never publicly confirmed a cyber attack.. The average ransom for unconfirmed attacks was nearly $270,000.

Adding in downtime

Although the lack of data surrounding ransom demands makes it difficult to determine how much has been lost to these attacks, there is a cost that most of these organizations face–downtime.

When systems are encrypted, services can go down for hours, weeks, or months at a time. In the worst cases, some systems and data cannot be recovered.

In order to estimate how much ransomware attacks have potentially cost manufacturing organizations, we have used the overall ransomware recovery costs quoted by thirteen entities. Using these amounts, we were able to create an average downtime cost of $1,291,212.

While data was unavailable for 2018, 2019, and 2024, the average cost per day in the other years was as follows:

  • 2023 – $1,324,345 (7 known cases)
  • 2022 – $400,823 (3 known cases)
  • 2021 – $3,124,176 (2 known cases)
  • 2020 – $64,516 (1 known case)

Due to the wide variation in average downtime costs, we have used the overall average across all years ($1.3 million) in our estimations where individual costs are unavailable. Using this, we were able to estimate that the total cost of ransomware attacks on US manufacturing companies since 2018 is $870,632,960.

Some of the biggest recovery costs are as follows:

  • MKS Instruments Inc. – $215 million: It disclosed that the attack it suffered cost $200 million in lost sales and $15 million in remediation efforts (expert help and consulting services and restoration of systems and data). The attack was first identified on February 3, 2023, with systems noted as being fully restored by May 3, 2023.
  • WestRock – $79 million: Following its ransomware attack in January 2021, lost sales and production cost the company $50 million while a further $29 million was spent on recovery efforts over the following months.
  • The Clorox Company – $57 million: Hit on August 11, 2023, The Clorox Company took over a month to resume normal order processing. This cost the company $57 million.

Ransomware attacks on US manufacturing companies by year

From 2018 to 2019, the manufacturing/utility sectors suffered just 17 ransomware attacks combined (seven in 2018 and 10 in 2019). However, in 2020, the number of attacks rose exponentially to 89 and only declined slightly in 2021 to 84. In 2022, this figure dropped even further to 54 before increasing to an all-time high in 2023 with 92 attacks registered in total.

Manufacturing companies are still a key target due to the mass disruption that these types of attacks can cause. While data theft is relatively low across these sectors (when compared to others), it is the system downtime that perhaps reaps the most rewards for hackers.

  • Number of attacks:
    • 2024 (to April) – 15
    • 2023 – 92
    • 2022 – 54
    • 2021 – 84
    • 2020 – 89
    • 2019 – 10
    • 2018 – 7
  • Number of records impacted:
    • 2024 (to April) – 24,518
    • 2023 – 2,189,221
    • 2022 – 553,530
    • 2021 – 436,884
    • 2020 – 385,624
    • 2019 – 7,222
    • 2018 – 1,165
  • Average downtime:
    • 2024 (to April) – 15 days
    • 2023 – 18 days
    • 2022 – 35.7 days
    • 2021 – 8.1 days
    • 2020 – 16.8 days
    • 2019 – 4.7 days
    • 2018 – 18 days
  • Downtime caused (known cases):
    • 2024 (to April) – 45 days (3 cases)
    • 2023 – 342 days (19 cases)
    • 2022 – 250 days (7 cases)
    • 2021 – 97 days (12 cases)
    • 2020 – 185 days (11 cases)
    • 2019 – 14 days (3 cases)
    • 2018 – 18 days (1 case)
  • Estimated downtime caused (based on known cases and average in unknown):
    • 2024 (to April) – 225 days
    • 2023 – 1,656 days
    • 2022 – 1,928 days
    • 2021 – 676 days
    • 2020 – 1,498 days
    • 2019 – 47 days
    • 2018 – 126 days
  • Estimated cost of downtime:
    • 2024 (to April) – $19.4m
    • 2023 – $422.9m
    • 2022 – $97.2m
    • 2021 – $187.3m
    • 2020 – $115.6m
    • 2019 – $19.3m
    • 2018 – $9m

Which state had the most ransomware attacks on manufacturers?

As we can see from the map below, California had the most ransomware attacks (47) with 13 percent of the total and over double the number recorded in Massachusetts and Ohio (22 each).

However, if we look at the number of records affected in these attacks, things change somewhat. Iowa becomes the most affected state with 1,241,093 records affected in total. This is primarily due to PurFoods, LLC (Mom’s Meals) being located here. It suffered an attack in January 2023 that affected 1,237,681 records.

Florida takes the second spot (with 576,000 records affected) and California is in third place (with 295,000 affected).

If we compare the number of records affected by organizations within the manufacturing industry, these figures are often significantly lower than other sectors. For example, according to our ransomware tracker, financial organizations saw over 4.6 million records affected as a result of just 53 ransomware attacks in 2023.

Data held by financial institutions will often hold more value on the dark web than some of the customer data held by manufacturing companies. This, therefore, suggests that hackers are targeting manufacturers in the hope of causing large-scale disruption to their systems, rather than stealing vast quantities of data. By impacting day-to-day operations, hackers likely increase their chances of securing a ransom payment.

That said, the increase in records impacted in 2023 does suggest hackers are shoring up their chances of securing a ransom payment by ensuring they have data to hold to ransom if negotiations for a decryption key fail.

How is 2024 looking for ransomware attacks on manufacturing businesses?

2024 has already seen 15 reported ransomware attacks on entities within the manufacturing sector (from January to April). This is significantly lower than the 40 recorded during the same period of last year. While we do expect to add to 2024’s figures as more data breach notifications come through, it’s highly unlikely we’ll reach a figure like that of 2023.

This is a trend we’re witnessing across most industries. And while this is a positive sign, it’s too early to suggest that ransomware is on an overall decline. With the likes of Targus International, LLC and Welch’s experiencing crippling attacks, ransomware remains an ongoing threat to the manufacturing industry. It has the potential to cause widespread disruption–not only on the individual companies that are targeted but also on the customers and businesses that utilize their services.

Manufacturers want to restore their systems as quickly as possible, which could increase the chances of them paying a ransom. Equally, if ransoms aren’t paid, they will likely suffer huge costs when trying to recover their systems.

Methodology

Using the database from our US ransomware tracker, our research found 351 ransomware attacks on the US manufacturing industry in total. From this data, we were able to determine ransom amounts, whether or not ransoms were paid, and the downtime caused. Where the amount of downtime wasn’t available, we used an estimated number of days based on the average in that particular year.

We looked through each organization’s financial statements and reports (where available) to find out the financial impact of these attacks. We then used these figures and the number of days of downtime to create an average cost of downtime per day. This was then used to estimate the cost of each attack where figures were unavailable. For example, the Gates Corporation noted overall recovery costs of $5.2 million following its attack. With downtime lasting three days, this creates a daily cost of $1.73 million.

Please note: in our ransomware tracker some of the manufacturing entities may fall under “food and beverage” or “healthcare” as opposed to manufacturing. For example, meat producers fall under food and beverage in our trackers and pharmaceutical companies fall under healthcare. However, these have been included under manufacturing for this study.

Data researcher: Rebecca Moody