Why ransomware keeps hitting manufacturing hard

Manufacturing as the primary target for ransomware

Manufacturing has become the prime focus for ransomware attackers, not because it’s the only valuable sector, but because it’s the easiest one to hit effectively. Most plants still run on outdated systems built to optimize production, not to withstand modern cyber threats. These legacy networks, deeply interconnected with both Information Technology (IT) and Operational Technology (OT), provide many attack points.

For cybercriminals, manufacturing offers the ideal conditions: complex systems that can’t afford downtime and executives willing to pay for quick recovery. The pressure to avoid production delays transforms what could be minor security lapses into high-stakes events with multi-million-dollar consequences. The data reflects this reality. In 2025, more than half of manufacturers affected by ransomware paid the attackers, according to Sophos. The median payment was $1 million, with 18% of payments reaching $5 million or more.

Leaders in this space need to start seeing cybersecurity not as an overhead cost, but as a direct shield against operational and financial collapse. Upgrades to core systems, secure remote management, and real-time monitoring are no longer optional, they are fundamental to the survival of manufacturing as digital transformation accelerates. Building resilient operations that can absorb hits and keep running is what separates future-ready manufacturers from those living in constant crisis mode.

Impact of disruptions and interdependent supply chains

The strength of modern manufacturing lies in its dependability and precision. But this same strength becomes a vulnerability when disruptions ripple through interconnected supply chains. One cyberattack on a small supplier can trigger shutdowns across multiple factories, slowing production around the world. Paul Furtado, Analyst at Gartner, put it simply: disruptions that stop production lines are enormously expensive, and their effects don’t stop there, they spread through supplier networks, putting every related company under pressure.

The attack on Kojima Industries in 2022 showed how damaging this can be. Kojima, a supplier for Toyota Motor Company, suffered a ransomware breach that forced Toyota to halt production across all 14 of its factories in Japan. Even a short shutdown caused significant losses, both financial and reputational.

For executives, this underscores a critical truth: cybersecurity is not an isolated IT function, it’s supply chain risk management. A single compromised vendor can halt an entire production ecosystem. Leaders must demand deeper visibility into every layer of their supply chain and insist on shared standards for security. Regular supplier audits, network segmentation, and immediate plan activation during any cyber event are essential.

The goal isn’t to eliminate risk entirely, that’s impossible, but to ensure that an attack on one part of your operation doesn’t stop production everywhere. Resiliency must be engineered into the network and the business process itself. The companies that do this right will not only avoid losses but emerge stronger and more agile in a volatile global environment.

Risk of data theft and extortion of proprietary information

Manufacturers are becoming data companies, whether they realize it or not. The engineering designs, production methods, and trade secrets that power modern factories are highly valuable assets. When ransomware attackers gain access to this intellectual property, it’s not just about locking up files, it’s about holding a company’s competitive future for ransom.

Sophos reported that in 2025, 40% of ransomware incidents in manufacturing resulted in data encryption, while 16% combined encryption with outright data theft. Extortion-only attacks, where criminals steal data instead of encrypting it, rose from 3% to 10% in a single year. This shift shows that attackers view proprietary information as an equal or even greater source of leverage than operational disruption.

Paul Furtado, Analyst at Gartner, said it clearly: manufacturers guard “the crown jewels” of the industrial world, their trade secrets. Losing control of those assets doesn’t just hurt operations; it destroys trust with partners, investors, and customers.

For executives, data protection must move beyond compliance checklists. The question isn’t just how to prevent breaches, it’s how to make sure that your most sensitive intellectual property is compartmentalized, encrypted, and monitored constantly. Establishing strict access controls, isolating critical design data, and tracking every data movement across systems are core priorities.

The companies with disciplined approaches to data governance will be the ones able to innovate freely, without fear that their breakthroughs will become someone else’s leverage. In manufacturing, protecting information is no longer secondary to production, it’s now a primary line of defense for business continuity.

Vulnerabilities in legacy OT systems and IT/OT integration

Most manufacturing environments still rely on Operational Technology (OT) that predates modern cybersecurity architecture. These systems were built to last, not to evolve with an increasingly digital and interconnected industrial environment. When they’re integrated with Information Technology (IT) networks to enable automation and analytics, the result is often weak defense boundaries and open pathways for attackers.

Sophos found that 42% of manufacturers blamed unknown security gaps for recent ransomware incidents, while 41% pointed to inadequate protections. Those numbers reflect a systemic issue, inadequate visibility. Many companies don’t fully understand what’s connected across their IT and OT layers. Without clear network mapping and risk classification, it’s impossible to secure what you can’t see.

Paddy Harrington, Analyst at Forrester, noted that OT networks have traditionally been built on a foundation of trust. Once an attacker moves from IT into OT, access is often unrestricted, or in his words, “the doors are often wide open.” Closing those doors requires cultural and technical change. Leaders must demand real-time monitoring across IT and OT systems, consistent patch management, and a strong partnership between engineering and cybersecurity teams.

For decision-makers, this is not just a technical conversation. It’s an operational one. Every new IoT device or legacy connection added to the network changes the organization’s risk profile. Investing in segmentation, secure gateways, and identity-based access isn’t just risk mitigation, it’s business preservation.

Modern manufacturing depends on the seamless operation of interconnected systems. That seamlessness must now include security. Those who modernize their OT environments with security-driven design principles will reduce both exposure and downtime, building a stronger foundation for sustainable growth in an era of constant digital threat.

Strategic preference of cybercriminals for manufacturing

Cybercriminals are making calculated choices in who they target, and manufacturing has become one of the safest bets for them. Attackers know that shutting down a hospital or power plant would create public outcry and immediate government intervention. Manufacturing, on the other hand, produces material goods, critical, but not life or death. That difference significantly lowers the risk for criminal groups while maintaining high financial reward.

Paddy Harrington, Analyst at Forrester, observed that “manufacturing leads by a mile” in ransomware targeting, and for good reason. The potential for large ransom payments is high, while the likelihood of intense law enforcement response remains low. These attackers are not driven by ideology; they want money, and they know manufacturers will pay to resume operations quickly.

Executives must understand that this preference is not random. Cybercriminals operate according to market principles: low risk, high yield. The manufacturing industry fits that model today because its digital transformation has outpaced its investment in cybersecurity. Attackers exploit that imbalance to strike at organizations that can pay without fear of intense governmental oversight.

For C-suite leaders, the takeaway is simple: the less attention the public gives to a disruption, the higher the risk of becoming a target. Companies in traditional sectors must now assume they are part of the top tier of cybercriminal focus. Strengthening incident response plans, investing in threat intelligence, and tightening supplier access controls are essential steps. The companies that act before the next wave of attacks will control their exposure, while others will find themselves negotiating under pressure.

Necessity for enhanced OT security and risk management

Manufacturers are now realizing that managing operational risk means managing cybersecurity risk. The difference between a secure and an exposed operation comes down to visibility, control, and preparedness. Across the industry, there is growing attention to adopting structured approaches that combine risk posture management, network segmentation, secure remote access, and advanced endpoint protection.

Paddy Harrington from Forrester pointed out that many firms are beginning to upgrade their OT security practices but still face structural limits, such as reliance on only a few approved vendor solutions. As more responsibility for OT security shifts to Chief Information Security Officers (CISOs), executives must ensure these leaders have access to the right tools and authority to execute broader security strategies across both IT and OT.

Decision-makers should prioritize layered defense models that monitor both physical and digital systems in real time. Network segmentation can contain potential breaches, while secure remote access safeguards interactions with OEMs and contractors. Sophisticated endpoint tools like Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) provide the visibility needed to detect threats before they disrupt production.

For executives, this is a leadership issue, not just a technical one. Strong governance is the driver behind effective resilience. When cybersecurity strategies are aligned with operational priorities, security becomes part of performance, not an obstacle to it. The companies that achieve that alignment will secure their operations, protect their data, and demonstrate maturity that sets them apart in a volatile digital economy.

Main highlights

• Manufacturing under fire: Ransomware attackers are increasingly targeting manufacturers due to outdated systems and high pressure to maintain continuous operations. Leaders should invest in modernizing critical infrastructure and strengthening rapid recovery capabilities.
• Supply chain fragility: A breach at one supplier can disrupt production across entire networks, as seen with Toyota’s 2022 shutdown. Executives should enforce shared cybersecurity standards and conduct regular resilience audits across their supply chains.
• Data as a prime target: Attackers are now focusing on stealing or encrypting proprietary designs and trade secrets for extortion. Leaders must elevate data security to a strategic priority, ensuring sensitive information is encrypted, compartmentalized, and continuously monitored.
• Legacy systems as liabilities: Outdated OT environments are exposing manufacturers to high-risk entry points for cybercriminals. Executives should accelerate IT/OT modernization and require cross-functional security coordination to close visibility gaps.
• Criminals follow the money: Manufacturing has become the favored target because it offers strong financial returns with less law enforcement attention. Leaders need to increase proactive threat intelligence and invest in rapid response frameworks to limit exposure.
• Building operational cyber resilience: Strengthening OT security through network segmentation, risk management, and advanced detection tools is now essential. Executives should empower CISOs with authority and resources to align security initiatives directly with production goals.