Manufacturing has earned an unenviable title: the most targeted industry for ransomware. Manufacturing accounted for 65% of OT/ICS sector ransomware incidents recorded in Q2 2025, and global ransomware attacks against manufacturers rose 56% between 2024 and 2025, pushing the average ransom demand from $523,000 to nearly $1.2 million in the span of one year. The reason attackers fixate on the shop floor is the same reason manufacturers often struggle to defend it: operational technology (OT) systems, including programmable logic controllers, industrial control systems, and manufacturing execution systems, were designed for uptime and precision, not security. These systems may run decades-old software, lack available patches, and sit on networks that were never designed with zero-trust principles in mind. When a ransomware operator discovers that shutting down a production line costs the victim hundreds of thousands of dollars per hour, the business case for a seven-figure ransom demand writes itself.
TL;DR
- Manufacturing accounted for 65% of OT/ICS ransomware incidents in Q2 2025.
- Average ransom demands for manufacturers doubled from $523K in 2024 to nearly $1.2M in 2025.
- 75% of OT attacks begin as IT-side breaches; Dragos tracked a 60% increase in ransomware groups targeting OT in 2024.
- Ransomware attacks on manufacturing have caused an estimated $17 billion in downtime over seven years.
- OT asset inventory is the essential first step before any other security investment in this sector.
The convergence of IT and OT networks, a trend driven by efficiency and remote monitoring ambitions, has opened new corridors for attackers. The industrial cybersecurity firm Dragos tracked a 60% increase in ransomware groups actively targeting OT environments in 2024, and nearly 75% of OT attacks begin as IT-side breaches before pivoting into production systems. CISA's ICS advisories flagged that 46% of ICS security advisories issued in 2024-25 involved vulnerabilities in critical manufacturing systems. Legacy equipment that cannot run modern endpoint agents is a major contributor to this exposure. An unpatched HMI (human-machine interface) connected to a corporate network segment becomes a pivot point that no endpoint detection tool will ever see. For manufacturers operating multi-site environments, the attack surface compounds with every connected plant added to the corporate network.
"About 95% of all cyber spend goes to enterprise IT, and about 5% to OT. That is where your national security is."
Robert M. Lee CEO and Co-Founder, Dragos, July 22, 2025, as quoted in SANS Institute: Defense is Doable, Robert M. Lee's Congressional Testimony
Manufacturers who have reduced their ransomware risk share a consistent set of architectural choices: IT-OT network segmentation enforced by industrial firewalls, an asset inventory that actually includes OT endpoints, and offline verified backups of both IT systems and OT configurations. The financial stakes are not abstract. Researchers estimate that ransomware attacks on manufacturing have caused an estimated $17 billion in downtime costs over the past seven years. Organizations that have implemented incident response plans that explicitly address OT recovery, not just IT recovery, recover faster and pay ransom less often. The best time to document your OT recovery procedure is not when production has stopped; it is well before the first encrypted file appears on a workstation screen.
Expert Tip: Inventory Your OT Assets Before Anything Else
You cannot protect what you cannot see. Many manufacturing environments have OT assets that IT security teams have never catalogued, including PLCs, HMIs, and historian servers running continuously for a decade. Conducting a passive network discovery scan using tools purpose-built for OT environments (such as Claroty, Dragos Platform, or Nozomi Networks, which are designed to avoid disrupting industrial protocols) is the necessary first step. Once you have an asset inventory, you can prioritize which systems are most exposed and which would cause the greatest operational impact if compromised.
Key Takeaways
- Top ransomware target: Manufacturing accounted for 65% of OT/ICS ransomware incidents in Q2 2025.
- Ransom demands doubled: Average ransom demands for manufacturers jumped from $523K in 2024 to nearly $1.2M in 2025.
- IT-OT convergence creates risk: 75% of OT attacks begin as IT-side breaches before pivoting to production systems.
- Legacy systems are the biggest gap: Unpatched OT equipment that cannot run modern endpoint agents remains the sector's hardest problem to solve.
- Downtime is the real cost: Ransomware attacks on manufacturing have caused an estimated $17 billion in downtime over seven years.
Sources: Dragos: OT Ransomware Trends Q2 2025, Industrial Cyber: Global Ransomware Attacks Rose 32% in 2025, Industrial Cyber: Half of 2025 Ransomware Attacks Hit Critical Sectors, SANS Institute: Robert M. Lee Congressional Testimony
