Cyber Security

Ransomware challenge hits manufacturing sector: survey

Manufacturing is an attractive sector to target for cybercriminals

The ransomware challenge facing manufacturing and production organizations continues to grow. The manufacturing and production sector had the highest average ransom payment across all sectors, according to a new report from Sophos.

According to the newly released “The State of Ransomware in Manufacturing and Production” survey report, the manufacturing and production sector paid an average ransomware payment of $2.036 million in 2021, more than double of the cross-sector average estimated at $812,360 during the same time period.

Even as the sector reported one of the lowest rates of ransom payment, with 33 per cent paying out compared to the global average of 46 per cent. At the same time, the sector reported paying the highest average ransom amount at $2.036 million as against the cross-sector average ransom was $812,360.

The report found 66 per cent of manufacturing and production organisations surveyed reported an increase in the complexity of cyber attacks, and 61 per cent reported an increase in the volume of cyber attacks when compared to the previous years survey.

The increase in complexity and volume is also 7 per cent and 4 per cent higher than the cross-sector average, respectively.

Diving into the ransom payments further, manufacturing and production has one of the broadest spreads of ransoms across all sectors, with respondents reporting a wide range of payments: one in ten (11 per cent) paid less than $1K while nearly one third of the respondents (37 per cent) paid more than $100K. 8 per cent of respondents paid above $1M or more.

John Shier, Senior Security Advisor, Sophos

John Shier, Senior Security Advisor, Sophos

“Manufacturing is an attractive sector to target for cybercriminals due to the privileged position it occupies in the supply chain,” said John Shier, Senior Security Advisor, Sophos.

“Outdated infrastructure and lack of visibility into the OT environment provides attackers with an easy way in and a launching pad for attacks inside a breached network. The convergence of IT and OT is increasing the attack surface and exacerbating an already complex threat environment,” he added.

He pointed out that while having reliable backups is an important part of recovery, today’s ransomware threat requires a detailed response plan that includes human-led threat hunting capabilities,” he said.

“Complex attacks require comprehensive protection, which, for many organisations, will include the addition of managed detection and response (MDR) teams who are trained to look for and neutralise active attackers,” said Shier.

The Sophos survey involved 5,600 IT professionals in mid-sized organizations across 31 countries, including 419 respondents from the manufacturing and production sector.


50pc firms hit in 2021

In 2021, the survey found that 55 per cent organisations in the sector reporting being hit by ransomware, up from 36 per cent the previous year. Sophos said this shows that hackers have become considerably more capable of executing the most significant attacks at scale.

The rise in successful ransomware attacks is part of an increasingly challenging threat environment that has affected organisations across all sectors. Respondents across all sectors reported an increase in cyberattack volume, complexity, and/or impact.

Manufacturing and production has been particularly impacted by the changing threat landscape, with 61 per cent of respondents reporting an increase in the volume of attacks on their organisations over the last year (vs. 57 per cent cross-sector average) and 66 per cent reporting an increase in attack complexity (vs. 59 per cent cross-sector average).

“It may be that the sector’s superior ability to stop data encryption has forced adversaries to up their games when it comes to attacks. Alternatively, it may simply reflect an increased focus on the sector by cyber criminals over the last year,” the report said.


Lowest level of backup use

Manufacturing and production companies reported the lowest level of backup use across all sectors, with just 58 per cent of respondents using this approach to restore encrypted data compared to the cross-sector average of 73 per cent.

In fact, the sector reduces the use of backup compared with the previous year, when 68 per cent of organisations used backups for data restoration. This is a concerning finding as backups are essential for recovery from ransomware and many other incidents.

Furthermore, almost half of respondents (48 per cent) reported using other means to restore their data.

The percentage using backups, paying ransom, and using other means clearly adds up to more than 100 per cent, indicating that many manufacturing and production organisations use multiple restoration methods in parallel to accelerate incident recovery. Overall, 36 per cent of manufacturing and production victims used multiple methods to restore their data.


Quick recovery

Survey results showed that the manufacturing and production sector is quick to recover from a ransomware attack, with two-thirds of victims (67 per cent) getting back up and running within a week. This is considerably higher than the global cross-sector average (53 per cent), indicating that manufacturing and production is well-placed to recover from attacks.

Further demonstrating this point, just 10 per cent in manufacturing and production said it took them between one and six months to recover, compared to the global average of 20 per cent who recovered within this time.

Following the global trend across multiple industries, manufacturing and production companies have seen a decrease in the average cost to rectify the impact of the most recent ransomware attacks – from $1.52 million in 2020 to $1.23 in 2021.

Still, Sophos said $1.23 million is still a very large sum that likely has a material impact on SMB organisations in any sector.

“At first sight, it may seem counter-intuitive that the average recovery bill is less than the average ransom payment. However, in many cases, insurance providers cover ransom payments,” the report stated.

There are several factors likely contributing to the below-average recovery bills for manufacturing and production.

First is the lower-than-average impact of ransomware on the operations and revenue of this sector. Secondly, the sector’s impressive ability to stop the attacks before data is encrypted helps keep remediation costs low. Finally, manufacturing and production reported the highest insurance payout rate for certain costs associated with attacks (costs of downtime and lost opportunities, etc.) which likely had a commensurate impact on the total recovery costs for this sector.


Cyber insurance

Many manufacturing and production organisations are choosing to reduce the risks associated with ransomware attacks by taking out cyber insurance coverage. For them, it’s reassuring to know that insurers pay some costs in almost all claims.

However, only 75 per cent of manufacturing and production respondents reported having coverage against ransomware attacks, compared with a cross-sector average of 83 per cent.

Furthermore, as the cyber insurance market hardens and it becomes more challenging to secure coverage, 97 per cent of manufacturing and production organisations that have cyber insurance have amended their cyber defense to improve their cyber insurance position:

70 per cent have implemented new technologies/services – highest across all sectors.

63 per cent have increased staff training/education activities – highest across all sectors.

59 per cent have changed processes/behaviours.

“It is heartening to know that the sector leads the way in terms of implementing new technologies and services and increasing staff training,” the report said.



In light of the survey findings, Sophos experts recommend the following best practices for all organisations across all sectors:

• Install and maintain high-quality defences across all points in the environment. Review security controls regularly and make sure they continue to meet the organisation’s needs.

• Proactively hunt for threats to identify and stop adversaries before they can execute attacks if the team lacks the time or skills to do this in-house, outsource to a Managed Detection and Response (MDR) team.

• Harden the IT environment by searching for and closing key security gaps: unpatched devices, unprotected machines and open RDP ports, for example. Extended Detection and Response (XDR) solutions are ideal for this purpose.

• Prepare for the worst, and have an updated plan in place of a worst-case incident scenario.

• Make backups, and practice restoring them to ensure minimal disruption and recovery time.