Ransomware attacks on food, beverage, and agriculture organizations have cost the world economy $1.36bn in downtime alone

From 2018 to May 2023, ransomware attacks hit 157 food, beverage, and agriculture organizations. We estimate such attacks have cost these organizations $1.36 billion in downtime alone.

Ransomware attacks across this sector can cause widespread and ongoing disruptions, leading to delays in production, missed deliveries, shut stores, and stolen personal data. Companies can feel the effects of these attacks for days, weeks, and even months after the initial infection.

Below we take a look at the true cost of ransomware attacks across the food and beverage sector around the world. Utilizing data from our worldwide ransomware tracker, we explore the average downtime, ransom demands, and overall costs of these attacks. Because we only include publicly-confirmed attacks, our figures likely only scratch the surface.

Please note: while we may have logged a higher number of attacks in one country compared to another, this doesn’t necessarily mean it is more “targeted” by attackers. Rather, the awareness and reporting of such attacks may be more in-depth. For instance, data breach reporting tools and regulations in many US states help confirm these attacks. Those same tools and regulations don’t exist in many other countries.

Key findings:

From the start of 2018 to the end of May 2023, our research found:

• 157 confirmed ransomware attacks on the food and beverage industry. 2021 was the biggest year by far, with 64 attacks in total
• 696,832 individual records are reported to have been breached as a result of these attacks
• Ransom demands varied from $20,363 to $15 million
• We estimate that hackers have demanded around $637.7 million in ransoms
• Downtime varied from a couple of hours of disruption to seven months of systems not being at full capacity
• The average downtime from attacks increased dramatically in 2021 with over 11.5 days lost on average
• The overall cost of downtime is estimated at $1.36bn
• Food processing/manufacturing companies are the hardest hit but agricultural firms didn’t see a decrease in attacks in 2022 like most other organizations, suggesting attacks have become increasingly targeted
• Conti, REvil, LockBit, Maze, and BlackBasta are the most dominant ransomware strains. The first two dominated in 2020 and 2021, but LockBit and BlackBasta became more dominant in 2022 and 2023

Ransomware attacks on food and beverage companies by month and year

As we’ve already noted, 2021 was the biggest year for ransomware attacks across this sector. That mirrors the overall worldwide trend. In 2021, there were 64 confirmed ransomware attacks, accounting for 41 percent of the total.

While this may suggest that ransomware attacks have dipped across this sector, our ongoing monitoring of ransomware attacks would suggest otherwise. Due to the stigma surrounding ransomware, many organizations don’t admit to suffering such an attack unless they’re forced into doing so due to leaked data or severe downtime.

Ransomware remains incredibly disruptive and costly. Many ransomware groups now focus on stealing vast amounts of data and encrypting systems to double their chances of receiving a ransom payment. By becoming more targeted in their approach, hackers appear to be seeking out big-name companies where the damage from the attack will spread as far as possible. This was seen in the attack on Dole PLC in February 2023.

The Dublin-based fruit and vegetable producer had to temporarily shut down some of its North American production plants. That led to a shortage of prepacked salads. The company has since reported losses of around $10.5 million due to the attack.

• Number of attacks:
  • 2023 (to May) – 12
  • 2022 – 34
  • 2021 – 64
  • 2020 – 40
  • 2019 – 5
  • 2018 – 2
• Number of records impacted:
  • 2023 (to May) – 150,566
  • 2022 – 168,221
  • 2021 – 134,299
  • 2020 – 243,746
  • 2019 – 0
  • 2018 – 0
• Average downtime:
  • 2023 (to May) – 7 days
  • 2022 – 7.64 days
  • 2021 – 11.53 days
  • 2020 – 8 days
  • 2019 – 9 days
  • 2018 – 1 day
• Downtime caused (known cases):
  • 2023 (to May) – 7 days (1 case)
  • 2022 – 84 days (11 cases)
  • 2021 – 184.5 days (16 cases)
  • 2020 – 40 days (5 cases)
  • 2019 – 18 days (2 cases)
  • 2018 – 1 day (1 case)
• Estimated downtime caused (based on known cases and average in unknown):
  • 2023 (to May) – 77 days
  • 2022 – 260 days
  • 2021 – 738 days
  • 2020 – 320 days
  • 2019 – 45 days
  • 2018 – 2 days
• Estimated cost of downtime:
  • 2023 (to May) – $78.6m
  • 2022 – $243m
  • 2021 – $690.8m
  • 2020 – $300m
  • 2019 – $42.1m
  • 2018 – $1.87m

The true cost of ransomware attacks on food and beverage organizations

Ransom demands can vary dramatically, from thousands to millions. One of the most famous ransom demands across the food and beverage sector was the $11 million ransom submitted to JBS by REvil in May 2021. JBS said it had paid the ransom in a bid to try and protect its customers.

Other key ransom demands include:

• Campari Group, Italy – $15 million: In November 2020, Ragnar Locker demanded $15 million from the Campari Group. While there is no confirmation on whether or not the group paid the ransom, it did take around eight days for the organization to resume some of its services.
• Harvest Food Distributors (Sherwood Food Distributors), United States – $7.5 million: Hacker group REvil sought $7.5 million from Harvest Food Distributors and its parent company Sherwood Food Distributors, and even threatened to up the ransom amount when negotiations with the company’s security firm turned sour.
• NEW Cooperative, Inc., United States – $5.9 million: BlackMatter targeted the agricultural group, forcing them to take its systems offline. The hackers demanded $5.9 million from the coop and although it never fully confirmed whether or not it paid the ransom, conversations between the hackers and the organization were reportedly released. In them, the coop said how vast the disruption to grain, pork, and chicken supplies would be if it couldn’t get its systems up and running again immediately.

Based on the data that is available, we were able to determine the following:

• Average ransom demand:
  • 2023 (to May) – $543,600
  • 2022 – $2.5m
  • 2021 – $4.9m
  • 2020 – $6m
  • 2019 – N/A
  • 2018 – $20,400
• Ransom demanded (known cases):
  • 2023 (to May) – $543,615 (1 case)
  • 2022 – $5 million (2 cases)
  • 2021 – $19.5 million (4 cases)
  • 2020 – $24.1 million (4 cases)
  • 2019 – N/A
  • 2018 – $20,400 (1 case)

The above shows us how ransom demands have reached extortionate highs in recent years. But with so few companies revealing the ransoms demanded, it is hard to gauge the true scale of the ransoms demanded and paid. Organizations are often reluctant to reveal whether or not they’ve paid the ransom, fearing such an admission will lead to future attacks.

Adding in downtime

When it comes to the cost of these attacks, It isn’t just potential ransom demands that companies face. Even if an organization is able to avoid paying a ransom, many of them will still face one detrimental problem–downtime.

From the data we’ve collected, we’ve been able to see just how many days of downtime companies within the food and beverage sector have suffered when they’ve been hit by a ransomware attack. The most recent figures indicate the average organization faces around a week’s worth of downtime. Not only that, but the impact often extends much further. So while the company may have to shut down the majority of its systems for an entire week, other disruptions, e.g. ordering systems, email packages, or databases, may be down for far longer.

According to The True Cost of Downtime 2022 report from Siemens’s Senseye Predictive Maintenance, an hour’s downtime across the FMCG (Fast-Moving Consumer Goods) sector is $39,000. This is significantly lower than other industries ($2 million per hour for the automotive industry, for example) but when you consider that a ransomware attack causes a week’s downtime on average, this places the cost of a ransomware attack on these types of organizations at around $6.55 million.

Even though these figures may seem extraordinarily high, it is likely that some entities face far higher costs when hit with a ransomware attack.

For example, in its November 2022 attack, Sobey’s (a Canadian supermarket chain) is reported to have suffered overall losses of $54 million. Another Canadian food organization, Maple Leaf Foods, reported a $23 million hit as a result of its ransomware attack, which was also in November 2022. The fact that both of these attacks took place in the fourth quarter of the year perhaps isn’t a coincidence, either. With the holiday season fast approaching, hackers likely targeted these groups knowing they could ill afford downtime at one of their peak operating times.

The food and beverage industry remains a key target for ransomware hackers

Despite the dip in confirmed ransomware attacks last year, this type of threat remains at the forefront for the food and beverage industry.

As well as the attack on Dole PLC which we’ve already mentioned, we’ve also seen the disruption caused by the attack on Yum! Brands, Inc. in February 2023 where 300 restaurants were shut for a day, and the attacks on numerous other organizations across the globe, including Nutresa (Colombia), Telepizza (Spain), the Abro Brewery (Sweden), and Coldiretti (Italy).

Furthermore, over the last two months, our researchers have started logging global unconfirmed ransomware attacks (those where hackers publish claims/data to their pages). During April and May 2023 alone, we recorded 21 such attacks on the food and beverage sector.

Methodology

Using the database from our ransomware attack map, our research found 157 food and beverage ransomware attacks in total. From this data, we were able to determine ransom amounts, whether or not ransoms were paid, and the downtime caused.

If no specific figures were given for downtime, i.e. “several days,” “one month” or “back to 80% after 6 weeks” were quoted, we created estimates from these figures based on the lowest figure they could be. For example, several days were calculated as 3, one month was calculated as the number of days in the month the attack happened, and the number of weeks quoted in % recovery statements was used (e.g. 6 weeks per the previous example).

Each attack was categorized into one of the following sub-industry categories:

• Agriculture – any type of organization involved in cultivating products for consumer use. It does not include farming equipment manufacturers (these are categorized in our manufacturing category which isn’t included as part of this study)
• Beverages – a business whose sole/primary focus is on producing and/or selling beverages (including alcoholic beverages)
• Food processing/manufacturing
• Food retail – e.g. supermarkets
• Government – one example in this category–the Saskatchewan Liquor and Gaming Authority (SLGA)
• Restaurant – including restaurant chains
• Wholesale – distribution companies that specialize in food products (organizations that aren’t involved in the production of food nor sell to the end consumer)

For a full list of sources, please see our worldwide ransomware tracker.