Manufacturers often hit with ransomware demands, and many pay the price

Sept. 14, 2023
Beyond the ransom, attacks can be costly in terms of production downtime, data replacement and even lost customers.

By Bruce Geiselman 

The lack of cybersecurity in manufacturing is the digital pandemic no one talks about, because many manufacturers have paid ransoms to stay in business after an attack, said Louis Columbus, DELMIAWorks senior industry marketing manager. 

“I'll be interviewing a plastics manufacturer for an article, and they'll disclose that they paid ransomware to get back up and running,” Columbus said. “They won't tell how much, but you can tell just from the intonation to the call that it was painful — that it was a lot of money.”  

Manufacturing is the most cyberattacked industry worldwide, accounting for 23 percent of all ransomware attacks last year, Columbus said, citing a finding from the most recent IBM Security X-Force Threat Intelligence Index.  

Cyberattacks demanding ransom have become rampant, and victims frequently pay up, according to Claroty, a cybersecurity company that helps customers protect their information technology (IT) and operational technology (OT) networks. 

When an organization’s network or pieces of equipment are infected with ransomware, cybercriminals encrypt the data, which in many cases can essentially shut down organizations, including plastics processors and other manufacturers. Then they demand ransom in exchange for releasing their grip on the data. 

For cybercriminals, a ransomware attack can be highly profitable.  

“It was actually pretty surprising to see roughly 60 percent of the people who were hit did pay the ransom, and these were pretty sizable ransoms. We're talking in the mid six figures and up,” said Chelsea Haynes, senior director of product and content marketing at Claroty. 

Claroty in July held a webinar, “Combating Ransomware in OT Environments,” in which it discussed ransomware attacks. The webinar revealed results of a survey Claroty conducted of 1,100 IT and OT security professionals working full time for enterprises that own, operate or otherwise support components of critical infrastructure. 

A staggering 80 percent of respondents had experienced an attack within the past year, with 47 percent reporting an impact to their OT/industrial control system (ICS) environment. More than 60 percent paid the ransom and 52 percent paid $500,000 or more, according to Claroty. 

The survey focused on large industrial companies that support critical infrastructure, which are commonly targeted by cybercriminals. 

Ransomware has garnered media attention with some high-profile cases like the Colonial Pipeline ransomware attack in 2021 and more recent attacks on hospitals and health care systems

The results of the Claroty survey, contained in a white paper titled “The Global State of Cybersecurity 2021: Resilience amid Disruption,” found much higher incidents of ransomware and payments than have studies that rely on publicly available information based on incidents reported to U.S. law enforcement. Haynes pointed out that companies are not required to report ransomware incidents to law enforcement. 

One such study, Verizon Business' 16th annual Data Breach Investigations Report, analyzed 16,312 security incidents and 5,199 breaches based on information from the FBI Internet Crime Complaint Center (IC3). It found the median cost per ransomware incident has more than doubled over the past two years, to $26,000.  

Some incidents involved much larger costs, with 95 percent of incidents involving a loss of between $1 and $2.25 million. The good news was that only 7 percent of ransomware incidents led to losses for businesses, according to Verizon, based on information from the FBI's IC3. 

The amount of ransom cybercriminals demand is increasing every year, Haynes said. For example, in 2017, the year in which the infamous WannaCry and Not Petya ransomware outbreaks occurred, the average ransom demand was $500, according to information presented by Claroty. However, the amount has dramatically increased each year, with attackers in July 2023 demanding an average of $1.5 million worldwide. 

“It looks like it's doubling or tripling year after year,” said Justin Woody, senior director of security strategy at Claroty. 

Verizon’s report found that as the cost grows, so does the number of incidents. During the previous two years, the number of ransomware attacks was greater than the previous five years combined, according to the report. About 24 percent of all data breaches involved ransomware, making it one of the top cyberattack methods. 

As ransomware has grown into a big business, there has been a rise among cybercriminals in the use of ransomware-as-a-service (RaaS), Woody said. RaaS is built on a similar business model as software-as-a-service (SaaS), which is used by major software companies.  

RaaS is a business model that involves cybercriminals selling or renting ransomware to buyers, called affiliates. RaaS has made it easier for a variety of threat actors — even those who have little technical knowledge — to deploy ransomware. 

Many of today’s cybercriminals are based in foreign countries including Russia, North Korea, Iran and China, which are less likely or willing to crack down on these criminal operations, Haynes said. The U.S. aggressively pursues cybercriminals and has harsh penalties. 

Ransomware can target either OT or IT networks. 

“We know that a lot of ransomware attacks, including many of the big ones that we've all seen publicized in recent months and years, originate in the IT environment before then pivoting into OT, and in many cases, OT is not directly targeted, but it's collateral damage,” Haynes said.  

Large manufacturers often are willing to pay ransom when their OT networks are hit because their tolerance for downtime is low. 

“The amount of money that they’re going to lose, even if they’re down for one hour, can be six figures and up,” Haynes said. “From the attackers’ perspective, this is the type of company that probably is going to be far more likely to pay the ransom, because that ransom is probably a lot cheaper than what they would otherwise lose from being down.” 

Just-in-time manufacturing strategies create more urgency for manufacturers, making them more willing to pay ransoms so they can fulfill their orders with customers and obtain supplies in a timely manner, KnowBe4 security awareness advocate Erich Kron said. 

If a company falls victim to a ransomware attack, it can be a difficult decision as to whether to pay the ransom or try to recover on your own. 

“We never recommend paying the ransom,” Kron said. “The truth of the matter is, sometimes you have to.” 

One thing companies can do to help recover more quickly from a ransomware attack is to ensure they have recent data backups.  

Even if a company has backups to restore encrypted data, it could face extortion demands from cybercriminals who made copies of confidential information about the company, and its employees and customers. The cybercriminals typically threaten to release the information, possibly including Social Security numbers and banking information, on the dark web. Only if a victim agrees to pay will the cybercriminal promise not to make the information public. While that promise sounds great in theory, it’s coming from thieves who broke into your network, Kron said. 

Victims need to identify how cybercriminals accessed their network and eliminate those vulnerabilities or face another future network intrusion. Kron cited as an example a company from the UK that paid about $3 million in ransom, recovered its data and got back up and running, only to be hit by the same group 30 days later with another ransom demand. 

Even as companies emphasize educating employees on cybersecurity, the “human element” is a factor in 74 percent of breaches. Senior leadership is a growing cybersecurity threat for many organizations, according to Verizon. 

“Not only do they possess an organization’s most sensitive information, they are often among the least protected, as many organizations make security protocol exceptions for them,” Chris Novak, managing director of cybersecurity consulting at Verizon Business, said in a press release. “With the growth and increasing sophistication of social engineering, organizations must enhance the protection of their senior leadership now to avoid expensive system intrusions.” 

Social engineering, which involves techniques aimed at manipulating a target into revealing confidential information or unknowingly granting a criminal access to a computer network, is another lucrative tactic for cybercriminals. The median amount stolen in business email compromise (BEC) attacks has increased over the past couple of years to $50,000, according to Verizon, which attributed the figure to data from the FBI’s IC3. BEC attacks are a type of phishing attack that targets organizations with a goal of stealing money or critical information. 

The Verizon report concluded that 97 percent of “threat actors” were motivated by financial gain, and only 3 percent were motivated by espionage.  

The most common techniques used to gain entry to an organization’s computers included using stolen credentials (49 percent), phishing (12 percent) and exploiting vulnerabilities (5 percent). 

Sometimes, cybercriminals can find network vulnerabilities in unexpected places, Haynes said. As an example, she mentioned a food and beverage company that was infected with WannaCry ransomware. By the time it was detected, it had already spread to multiple company sites around the globe and was busy encrypting production systems. 

“After investigation, it was determined that it had come in through a vending machine in a plant,” Haynes said. “The vending machine was the entry point. There were connectivity paths at the time that were not known. That’s a reason why understanding interdependencies is so important.” 

It’s also an example of why companies should segment their IT and OT networks to only allow communications between the pieces of equipment that require it, Woody said. 

Woody and Haynes offered recommendations for reducing a potential ransomware attack’s impact on OT networks: 

  • Inventory assets: Know what assets are connected to your network and identify the most important assets to your business operations, safety and process integrity. Once the most critical assets are identified, companies should build a response plan.
  • Back up data: Time equals money, Haynes said. The more time a company is down, the more money that goes out the door. Companies should make sure they have backups to restore data in case of a ransomware attack.
  • Foster communications between OT and IT staff so they can coordinate cybersecurity plans. For example, Haynes points out that the government's Cybersecurity & Infrastructure Security Agency recommends having a pizza party at least once a year to bring together the IT and OT staff.
  • Know your dependencies: If a system goes down, what will it affect or stop? Resilience: Companies need to develop plans that allow them to recover from a cybersecurity attack in minutes or hours instead of days.


Claroty, New York, [email protected], 

DelmiaWorks, Dassault Systèmes, Waltham, Mass., 1-800-693-9000,  

KnowBe4 USA, Clearwater, Fla., 855-566-9234, 

About the Author

Bruce Geiselman | Senior Staff Reporter

Senior Staff Reporter Bruce Geiselman covers extrusion, blow molding, additive manufacturing, automation and end markets including automotive and packaging. He also writes features, including In Other Words and Problem Solved, for Plastics Machinery & Manufacturing, Plastics Recycling and The Journal of Blow Molding. He has extensive experience in daily and magazine journalism.