The enormous global costs of ransomware attacks on the manufacturing sector have been laid bare in a new analysis by Comparitech.
The firm reviewed 478 confirmed ransomware attacks on the manufacturing companies from 2018 to July 2023, using its worldwide tracker to understand the true cost of such incidents. This includes the amount of downtime caused, the volume of data stolen, how much the ransom demands were and whether those demands were met.
Eye-Watering Ransomware Costs
Using findings from a study in 2017, which showed the average cost of downtime is $8,662 per minute across all industries, Comparitech estimated that manufacturers around the world have lost an estimated $46.2bn to downtime from ransomware attacks over the five and half year period.
This could be an underestimate, Comparitech argued, as downtime in manufacturing is particularly impactful compared to many other sectors. This is because a halt in manufacturing production directly impacts sales.
The research showed that average downtime caused by ransomware nearly doubled in 2022 versus 2021, rising from 6.4 to 12.2 days. Additionally, there was a large gap in the longest downtime period recorded in each of the two periods – 32 days in 2021 and 76 days in 2022.
Rebecca Moody, head of data research at Comparitech, told Infosecurity that a likely factor for the increasing downtime is attackers “evolving their malware to stay one step ahead” of organizations.
Additionally, Comparitech researchers observed a “dramatic” variation in ransom demands issued, ranging from $5,000 to $50m. The sum of $50m was demanded on four occasions over the period analyzed, twice each from the REvil and LockBit gangs.
The average ransom demand was highest in 2021, at $21.9m. This fell to $8.8m in 2022 and is currently $1.7m so far in 2023, according to the analysis.
Encouragingly, only four manufacturing companies are known to have paid extortion demands, but the researchers noted that “many organizations will withhold this information in fear it makes them more vulnerable to these attacks.”
The data also showed that at least 7.5 million records were breached as a result of the 478 attacks over the period.
Comparitech’s research found that Egregor and Conti were the most dominant strains of ransomware targeting manufacturing organizations in 2020 and 2021, respectively. In 2022 and in 2023 up to July, LockBit has been the dominant strain.
Ransomware Resurgence
In the period analyzed by Comparitech, 2020 saw the highest number of confirmed ransomware attacks targeting manufacturing, at 167. This was closely followed by 2021, at 148.
There was then a “big dip” in 2022, with just 81 recorded attacks. However, there has been an uptick so far in 2023, with 55 reported incidents up until the end of July.
Moody told Infosecurity that the resurgence of ransomware in 2023 compared to 2022 has been reflected across all industries, as well as manufacturing. However, she noted a “change in the narrative around ransomware attacks,” which could help explain this rise.
“Last year, many companies tried to avoid using the word ransomware when describing a cybersecurity incident, while this year companies seem to be a little more open to admitting to having been breached. This could be due to the MOVEit attack whereby many large organizations are coming forward to confirm that they’ve been affected by the attack, giving rise to more companies following suit,” she explained.
Moody has also observed changing tactics used by ransomware attackers so far in 2023; in particular, an increase in data stolen as part of these incidents. “Hackers appear to be shoring up their chances of securing a ransom payment by not only encrypting systems, but stealing large volumes of data, too. If the affected organization doesn’t pay up, the hackers still have this trove of information to sell on the dark web,” she added.
Speaking on the August 2023 episode of the Infosecurity Magazine podcast, Jacqueline Burns Koven, head of cyber threat intelligence at Chainalysis, also highlighted a rise in “exfiltration only” ransomware attacks in recent months. This is often a more efficient approach as “even if the victim has a backup, there’s still a strong extortion technique at play to get victims to pay.”
Another trend observed by Koven is the “barbell effect” in payment demands. Here, there is increasingly two extremes – firstly, less sophisticated actors targeting perceived “softer targets” like schools and hospitals and taking “whatever they can get” from the victims in terms of payment.
On the other end of the spectrum, she said there has been a return of “big game hunters,” who spend a lot of time planning sophisticated attacks, often targeting supply chains. These are designed to extort big payouts.