Why is manufacturing the top target for ransomware?
The manufacturing sector has maintained its position as the most frequently attacked sector by ransomware groups for three consecutive years. The Dragos 2025 report indicates that 71% of manufacturing companies experienced a cyberattack targeting OT systems. This is no accident — factories combine characteristics that make them ideal targets.
First, low tolerance for downtime. Every hour of production line shutdown means direct financial losses, missed contracts and contractual penalties. Attackers know that manufacturers are more likely to pay ransoms than universities or government agencies.
Second, IT/OT convergence without proper segmentation. In many plants, the office network and production control network remain a single flat network. Ransomware initiated by a phishing email in the accounting department can reach engineering workstations and SCADA systems within minutes.
Third, legacy systems. PLC controllers and SCADA systems with 15-25 year lifecycles run on unpatched operating systems (Windows XP, Windows 7) that no longer receive security updates.
Anatomy of a ransomware attack on a factory
Phase 1: Entry through IT
A typical attack begins with a phishing email targeting an office worker or exploitation of a VPN/RDP vulnerability. The attacker gains access to the corporate network and spends days or weeks conducting reconnaissance, escalating privileges and identifying critical assets.
Phase 2: Lateral movement to OT
Without proper IT/OT segmentation, the attacker jumps to the production network. Vectors include:
- Shared Active Directory accounts
- Engineering workstations connected to both networks (dual-homed)
- Historian servers with interfaces in both IT and OT
- Unsecured RDP connections to HMI systems
Phase 3: Encryption and production shutdown
Ransomware encrypts workstations, historian servers, HMI stations and MES systems. Even if PLC controllers are not directly attacked, the loss of the visualization and management layer makes production invisible and uncontrollable.
Phase 4: Double extortion
Modern ransomware groups employ double extortion — in addition to encryption, they exfiltrate data (recipes, schematics, customer data) and threaten to publish it.
Case studies: attacks on the manufacturing sector
Norsk Hydro (2019) — LockerGoga
The Norwegian aluminum giant was hit by LockerGoga ransomware. Impact: 22,000 computers encrypted, plants in 40 countries switched to manual operations, losses exceeded $75 million. The company refused to pay the ransom and spent months rebuilding systems.
JBS Foods (2021) — REvil
The world’s largest meat processor paid $11 million in ransom after an attack by the REvil group that shut down plants in the US, Australia and Canada. The attack demonstrated how ransomware can disrupt the global food supply chain.
Toyota (2022) — supplier attack
A ransomware attack on Kojima Industries, a plastic components supplier, forced Toyota to halt all 14 factories in Japan for one day. Loss: 13,000 cars not produced — a demonstration of supply chain risk.
Strategies for ransomware protection in OT environments
IT/OT segmentation following the Purdue model
Implementing zones and conduits according to the Purdue model is fundamental. Key elements:
- DMZ zone between IT and OT with controlled crossing points
- Industrial firewalls at zone boundaries
- Unidirectional gateways (data diodes) for critical segments
- Microsegmentation within the OT network
OT backup and recovery
Traditional IT backup strategies are insufficient for OT:
- PLC configuration and controller program copies stored offline
- Golden image backups of engineering workstations and HMIs
- Regular recovery tests with time measurement (RTO/RPO)
- Documentation of manual production startup procedures
OT network monitoring and detection
A SOC with OT competencies can detect ransomware before it encrypts critical systems:
- Passive OT traffic monitoring (without impacting processes)
- Anomaly detection in industrial protocols (Modbus, OPC UA, EtherNet/IP)
- Alerting on lateral movement from IT to OT
- IT and OT event correlation
OT incident response plan
An IR plan for the production environment must account for:
- Procedures for safely disconnecting OT from IT without stopping critical processes
- A list of systems that can operate autonomously after disconnection
- Manual production control procedures
- Communication with regulators (NIS2 requires reporting within 24h)
The role of OT security audits
An OT/ICS security audit is the first step toward ransomware protection. It includes:
- OT asset inventory (there is often incomplete knowledge of devices on the network)
- Segmentation assessment and identification of IT→OT paths
- SCADA/HMI/PLC vulnerability analysis
- Access policy and account management verification
- Incident response readiness assessment
Want to check if your factory is prepared for a ransomware attack? Schedule a free consultation — our OT experts will assess your risk level.
Cybersecurity for Your Industry
Learn more about cybersecurity in your industry:
Related topics
See also:
