These ransomware victims are making the highest ransom payments

Ransomware gangs want to make the biggest amount of money in the smallest time possible - and that means one industry is a lucrative target.
Written by Danny Palmer, Senior Writer
Image: Getty/Nitat Termmee

Victims of ransomware attacks in the manufacturing and production industry are making the biggest ransom payments, with the average ransom demand paid coming in at just over $2 million. 

Ransomware is a significant cybersecurity issue that affects every sector. But according to analysis of attacks by cybersecurity company Sophos, ransomware is costing manufacturing and production the most.  

Of the victims who made a ransom payment to cyber criminals in order to get the decryption key to retrieve encrypted files and servers – and disclosed how much they paid for it – the average ransom was $2,036,189. 

That's more than double the overall average ransom payment made by those who detailed the payment, which amounted to $812,360.  

Manufacturing is a tempting target for ransomware gangs because of the important role it plays in supply chains – and a manufacturing plant being offline for a significant amount of time will be extremely expensive and have knock-on effects on other industries, businesses and consumers.  

Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats

That means some victims are giving into ransom demands – and in some cases, cyber criminals are demanding substantial ransoms because they know victims are desperate to restore operations to normal. 

Many production facilities are run on older computer systems and industrial 'operational technology' or OT, which means it's hard to apply security patches – if there are security patches available at all. 

"Manufacturing is an attractive sector to target for cyber criminals due to the privileged position it occupies in the supply chain. Outdated infrastructure and lack of visibility into the OT environment provides attackers with an easy way in and a launching pad for attacks inside a breached network," said John Shier, senior security advisor at Sophos. 

"The convergence of IT and OT is increasing the attack surface and exacerbating an already complex threat environment," he added. 

Of those who paid the ransoms – despite warnings not to – 37% of respondents ended up paying more than $100,000 while 8% paid more than $1 million for a decryption key. 

But while victims might believe meeting a ransom demand is the quickest way to recover their data, according to analysis of incidents in the manufacturing and production sector, an average of just 59% of data was recovered after paying a ransom – that's lower than the 61% of data recovered on average across all sectors. 

Also: The ransomware problem won't get better until we change one thing

One of the key protections that's recommended against ransomware attacks is the use of offline backups and regularly updating and testing them, so that in the event of a ransomware attack, it's possible to restore networks without paying a ransom. However, the report warns that manufacturing has among the lowest reported rate of backup use across sectors.  

Other recommendations for protecting networks against ransomware attacks and other cyber threats include ensuring that patches and security updates are applied – and that if security updates can't be applied, that the device or system should be segmented from the rest of the network and away from facing the internet. 

According to the research, 38% of attempted ransomware attacks against manufacturing and production were stopped before data could be encrypted – and Sophos recommends that actively hunting for attackers in the network is crucial for detecting potential incidents before they happen. 

"While having reliable backups is an important part of recovery, today's ransomware threat requires a detailed response plan that includes human-led, threat-hunting capabilities," said Shier. 

"Complex attacks require comprehensive protection, which, for many organizations, will include the addition of managed detection and response (MDR) teams who are trained to look for and neutralize active attackers," he said. 


Editorial standards