It’s no secret that the manufacturing industry has found themselves in the crosshairs of threat actors in recent years. With low tolerance for downtime, international operational footprints, and servers full of valuable information, these organizations represent riches for ransomware gangs and individual hackers alike. Plus, manufacturers often hold valuable information about industrial processes and customers, making them similarly susceptible to the data extortion aspect of modern ransomware.
According to the 2026 Arctic Wolf Threat and Predictions Report, from 2024 to 2025, the raw count of victimized manufacturers nearly doubled, and manufacturing now stands out as the sector with (by far) the highest victim count. IBM’s X-Force 2025 Threat Intelligence Index also lists manufacturing as the top-targeted industry — a title it’s held for the past four years. In addition to frequency, which has continued to rise year after year, the median cost of a manufacturing ransomware attack responded to by Arctic Wolf Incident Response is now $600,000 USD.
As the threat landscape continues to evolve, it’s vital to examine why the manufacturing industry is so highly targeted, as well as take a closer look at 10 manufacturing cyber attacks that highlight what’s at risk and what threat actors are targeting when it comes to this massive industry.
Why Is the Manufacturing Industry a Top Target for Cyber Attacks and Bad Actors?
The industry is prone to attacks and attempted breaches for several reasons:
High Dependency on Connected Systems
Modern factories rely heavily on interconnected IT and OT (Operational Technology) systems, such as robotics, IoT sensors, and automated production lines. Analysts estimate that there will be 29 billion interconnected devices by 2030. These systems often run on legacy software that wasn’t designed with cybersecurity in mind, making them vulnerable to exploitation. Attackers know that even a short disruption can halt production entirely, creating enormous leverage for ransom demands.
Critical Supply Chain Role
Manufacturers sit at the heart of global supply chains. A successful attack doesn’t just affect one company — it can ripple across thousands of suppliers and customers. This amplifies the pressure on victims to pay quickly to restore operations, making manufacturing an attractive target for ransomware groups.
High Cost of Downtime
Every hour of downtime in manufacturing translates into massive financial losses — sometimes millions per day. Unlike sectors that can operate remotely, factories need physical production lines in factories up and running. This urgency makes manufacturers more likely to pay ransoms or absorb huge recovery costs, which attackers exploit.
Valuable Intellectual Property (IP)
Beyond operational disruption, manufacturers hold sensitive IP like designs, blueprints, and proprietary processes. Cybercriminals can steal and sell this data, adding another revenue stream beyond ransom.
Arctic Wolf’s Top 10 Manufacturing Cyber Attacks
Jaguar Land Rover
Attack type: Ransomware
Location: United Kingdom
Year: 2025
Cost: £196 million GBP in direct costs, £1.9 billion GPB in costs to broader U.K. economy
In late summer 2025, a breach of Jaguar Land Rover’s (JLR) IT systems escalated into a full-blown cyber attack, forcing the automaker to shut down production across its flagship U.K. plants in Solihull, Halewood, and Wolverhampton. Scattered Lapsus Hunters — a cybercriminal collective consisting of three hacker groups known as Scattered Spider, Lapsus$, and ShinyHunters — claimed responsibility for the breach, leveraging stolen credentials to infiltrate critical networks. For five weeks, assembly lines stood idle.
The attack was one of the most severe in U.K. manufacturing history, and the fallout was staggering. JLR absorbed an estimated £196 million in direct costs, while the broader U.K. economy lost nearly £1.9 billion as suppliers scrambled and thousands of workers faced layoffs. September’s car production plummeted to its lowest level since 1952, prompting emergency government intervention, including a £1.5 billion GBP loan guarantee to stabilize the supply chain. In the aftermath, conversations shifted from recovery to resilience, as companies across the sector raced to fortify their defenses against the next digital ambush.
Clorox
Attack type: Unknown, but has indications of ransomware
Location: North America
Year: 2023
Cost: $356 million USD
This attack succeeded in disrupting operations of a major American goods manufacturer. According to an SEC filing by Clorox, the attack took many of its automated systems offline, including those by which large retailers such as Walmart and Target order products, highlighting how the breach of one organization can disrupt an entire supply chain.
While Clorox never confirmed if the attack was ransomware, the fallout, particularly the operational downtime, is consistent with other ransomware attacks. The breach also cost Clorox $356 million USD due to a 20% decline in sales, based on lower production volumes due to the attack. This is in addition to a steep drop in stock price and the $25 million Clorox spent securing their systems post-breach.
Norsk Hydro
Attack type: Ransomware
Location: Norway
Year: 2019
Cost: $70 million USD
After being hit by LockerGoga ransomware in 2019, Norsk Hydro, a multinational aluminum manufacturer with operations in 40 countries, was forced to close many of its plants and move others offline. The attack compromised the firm’s IT systems across multiple business functions, including the company’s smelting plants in Norway, Qatar, and Brazil, according to a Microsoft report. The organization chose not to pay the ransom, opting instead to shut down systems and operate manually for weeks, a decision which cost them around $70 million in business losses.
To gain initial access, the ransomware group had equipped an email attachment with a payload to launch a Trojan horse virus. While the virus was detected by antivirus days later, the threat actor had already gained access, and then deployed the ransomware.
In addition to Norsk Hydro, the LockerGoga attack also impacted Altran, a French consulting firm, as well as two U.S. chemical manufacturing firms, Hexion and Momentive.
Mondelez International
Attack type: Encrypting malware
Location: Based in Chicago
Year: 2017
Cost: $100 million USD
In 2017, Mondelez, a multinational food and beverage company, succumbed to an attack that leveraged the encrypting malware NotPetya — a virus used in a string of cyber attacks that year during an escalated conflict between Ukraine and Russia.
The attack permanently damaged 1,700 servers, 24,000 laptops, and impacted Mondelez production facilities around the globe, according to CSO Online. Mondelez says that the attack included the theft of thousands of user credentials and impacted the company’s ability to complete customer orders. Mondelez sued its insurance company, Zurich, due to the insurer’s decision not to pay an insurance claim. The insurer claimed the use of NotPetya was an act of war not covered under the policy.
The NotPetya attack also damaged operations at Maersk, which lost $300 million; at FedEx, which lost $400 million; and at Rosneft, a Russian oil company. According to statements made to WIRED magazine, the White House estimated that NotPetya generated $10 billion in damages during 2017, and to this day is one of those most notorious and studied cyber attacks.
JBS
Attack type: Ransomware
Location: Australia and North America
Cost: $11 million USD
Year: 2021
Reportedly engineered by Russia’s REvil hacker collective, the ransomware attack on JBS —which produces a fifth of the world’s meat supply — halted meatpacking operations at multiple plants for upwards of five days in the U.S, Canada, and Australia. This attack disrupted meat production and distribution, depriving many non-union employees of several days’ wages.
It has not yet been disclosed how the hackers gained access to the JBS system, but in a statement JBS indicated that, while it was able to get most of its systems operational without REvil’s help, it chose to pay $11 million in ransom to keep the files safe. REvil was a Russian-based ransomware group who was caught and charged by international authorities in late 2021.
Brunswick Corporation
Attack type: Unknown
Location: Global
Year: 2023
Cost: $85 million USD
A billion-dollar boating manufacturing firm, Brunswick Corporation suffered a cyber attack in June 2023 that not only disrupted operations for 9 days but cost the organization $85 million.
In addition, the firm filed notice with the Massachusetts Attorney General’s Office that the breach compromised personal information of employees and customers, including names, mailing addresses, social security numbers, driver’s license numbers, payment card data, and health information.
Applied Materials
Attack type: Ransomware; Supply-chain
Location: United States
Year: 2023
Cost: $250 million USD
As a multi-billion-dollar organization which supplies semiconductor technology to a number of partners, Applied Materials is a good example of supply chain risk. It became the victim of a supply-chain ransomware attack in February 2023 that disrupted shipments, and while not confirmed, it’s been reported MKS Instruments is the main victim this attack stems from, according to Bloomberg.
The cost of $250 million is said to be from lost sales in the second quarter of 2023, following the breach.
As organizations become more connected, especially in the manufacturing sector, these kinds of attacks have increased, as threat actors seek out weak points in the supply chain.
Simpson Manufacturing Company
Attack type: Possible ransomware
Location: United States
Year: 2023
Cost: Unknown
Simpson Manufacturing Company, a manufacturer of building materials, was the victim of a cyber attack in October, 2023, that caused them to take systems offline, disrupting business operations. The systems remained down as of December 2023, highlighting the severe scope of the incident. While it’s unknown if the root cause was ransomware, it’s been reported that the incident response steps are like that seen in ransomware attacks.
The disruption caused the public company’s stock to decline by 9.4% over a single month.
Toyota
Attack type: Ransomware
Location: Global
Year: 2022 and 2023
Cost: Unknown
Toyota has made headlines for multiple cyber attacks across 2022 and 2023, highlighting just how at-risk large manufacturing organizations are to modern cybercriminals.
In 2022, the car manufacturer had to shut down 14 factories in Japan for over 24 hours after a virus infected a file server. The lost output equaled about 13,000 vehicles.
In December of 2023, Toyota Financial Services in Germany had to shut down systems after Medusa ransomware exfiltrated data, holding it for an $8 million USD ransom. Earlier in 2023, Toyota had to notify customers that two million customer records were exposed for over 10 years, which highlights ongoing issues the manufacturing organization has had with their internal data security.
Bridgestone Americas
Attack type: Ransomware, from ransomware gang LockBit
Location: North and Latin America
Year: 2022
Cost: Unknown
Bridgestone Americas, a global tiremaker, had their North American systems knocked offline by a ransomware attack in February of 2022. The organization had to shut down their manufacturing and retreading operations in both North America and Latin America for several days after LockBit infiltrated their operations and exfiltrated data.
While it’s unclear if Bridgestone paid LockBit’s desired ransom, the organization did send out notice that customer and employee data was compromised, including names, social security numbers, and bank account information.
This breach shows that while disruption is a nice by-product of many manufacturing cyber attacks, threat actors are often interested in valuable data, not the operations of an organization.
How To Protect Your Manufacturing Organization Against Cyber Threats
There is no singular tool or approach that will keep your manufacturing organization safe. Just as IoT devices speak to endpoints which connect to users across the globe who then transmit data up and down the supply chain, a comprehensive cybersecurity approach is as complicated as your operations, and should be one that considers every aspect of an organization’s environment and how each part interacts with another.
Some actionable steps a manufacturing company can take to further their security journey and protect their valuable data include:
1. Investing in 24×7 monitoring that offers broad visibility into your organization’s environment.
You can’t protect what you can’t see, so implementing a tool that offers eyes on everything can go a long way in not only evaluating your own security architecture, but fast action when an incident occurs.
2. Practicing strong identity security, including following zero trust guidelines and implementing multi-factor authentication (MFA).
As organizations digitize, identities become the new firewalls, holding the credentials that can either stop threat actors or let them enter an environment with ease. By implementing strong identity and access management (IAM) and ensuring that your monitoring software includes identity threat detection and response capabilities (ITDR), your organization can harden your environment by protecting user identities.
3. Employ security awareness training to reduce human risk.
You can harden identities through techniques and tools, but tools can’t stop an employee from clicking on a phishing email and opening the door to malware. By implementing security awareness training that offers relevant, industry-specific content, relies on microlearning techniques, and works with compliance requirements, your business can reduce human risk while increasing resilience.
4. Work with a trusted cybersecurity partner.
When it comes to reducing cyber risk, no organization can do it alone. By working with a security operations partner that’s well-versed in the threats, compliance, and security needs of your industry — and can help with detection, response, and risk management — your IT team can focus on what matters, knowing work is being continually done to harden your attack surface.
Learn how Arctic Wolf’s Managed Detection and Response was able to detect and stop a BEC attack on a manufacturing plant within minutes.
Define the steps your organization needs to take to improve its cybersecurity posture.
