Manufacturing’s rapid digital transformation has merged legacy industrial control systems (ICS) and operational technology (OT) networks with corporate IT and IoT infrastructures, drastically expanding the industry’s cyberattack surface. In this interconnected environment, pretty much every piece of equipment is now reachable via enterprise networks or the Internet. This convergence of IT, IoT, and OT has created great production efficiencies, but it comes at a steep price of more vulnerabilities. Disrupting a factory’s network can halt production lines, and even a brief outage can result in multi‐million‐dollar losses for manufacturers.
Nucor Corp., North America’s largest steelmaker, was one such case in May 2025, when it fell victim to a cyberattack that forced it to proactively halt production at multiple plants to contain the breach. This incident was part of a sequence of other high‐profile attacks across manufacturing and other sectors, underscoring how deeply ransomware has penetrated critical industries.
It’s certainly time to examine this recent wave of ransomware attacks to explore how threat actors have evolved their tactics, and outline the defense strategies manufacturers must adopt to stay resilient.
A Fresh Wave of Ransomware Attacks
Ransomware was already surging across all sectors, but in 2025, it appears to have exploded into the public eye thanks to a series of high-profile attacks against household name brands. The warning signs were there. The FBI’s 2024 Internet Crime Report noted a 33 percent jump in reported losses (to $16.6 billion) year-over-year.
Attacker tradecraft is also evolving. Scattered Spider is using advanced social engineering and even AI-based voice spoofing to breach organizations across industries. It’s believed that they’re using new, highly sophisticated ransomware packages developed and distributed by Ransomware-as-a-Service (RaaS) hubs to facilitate their attacks. These hubs represent a highly sophisticated series of criminal partnerships that allow for knowledge sharing over potential vulnerabilities, meaning that what might have once been an isolated incident can quickly cascade.
All signs point to manufacturing as ransomware’s current favorite target, with many independent reports reinforcing the claim:
Data breach costs have also soared to record levels. The 2023 IBM/Ponemon report put the global average breach cost at about $4.45 million. In manufacturing, the largest losses often come from downtime rather than ransom payments. An average ransomware incident now causes 21 days of disruption. Halting a production line for even a few days can cascade into long delays, supply gaps, and multi-million-dollar losses. This itself makes manufacturing an attractive target for ransomware, as business owners will be desperate to get things up and running again.
The Systems That Make Manufacturing Vulnerable
Another aspect that makes manufacturing an attractive target for cybercriminals are the inherent vulnerabilities in industrial environments. Many factories still run legacy OT systems (like PLC controllers, HMIs, SCADA software) built without modern security in mind. These devices often lack basic protections (encryption, authentication or patching capabilities), and are expensive or impractical to replace.
When these systems are connected to networks, it’s exposing decades-old code to cutting-edge threats. Likewise, VPNs and remote access tools (often hastily deployed for engineering support) have become weak points. Attackers commonly buy access from brokers and exploit flaws in VPNs and remote management platforms to infiltrate factory networks.
As the Scattered Spider Group shows, many cybercriminals are leveraging social engineering and automation to increase success. Manufacturing personnel are frequently targeted with tailored phishing and voice calls. Scattered Spider themselves are known for deploying AI-driven phishing, even cloning executives’ voices to trick employees into clicking links or sharing credentials.
Once inside, adversaries often deploy living-off-the-land techniques (moving laterally within OS systems seemingly legitimately) and specialized malware to disable security software. Data theft is also a core strategy, with manufacturing IP and employee data being the main target in recent attacks.
Compounding these trends is chronic underreporting and geopolitical risk. Many industrial ransomware losses (like downtime, private forensic costs, and brand damage) never make it into official tallies on the scope of these attacks. This means the true impact on manufacturers is surely higher than public stats indicate.
And it’s not just private hacker groups representing a threat to manufacturing. Nation-state actors have shown interest, with Russian-aligned groups having probed OT environments under the guise of ransomware or data extortion. Industrial cybersecurity has essentially become a national security issue.
In short, manufacturers face a perfect storm of factors that all demand urgent action. They’re high-value targets, they use legacy tech, and increasingly face aggressive adversaries.
To combat this wave, manufacturers must adopt a proactive, layered defense strategy. Crucially, organizations should build and exercise OT-specific incident response plans. Currently, roughly half of OT/ICS operators still lack any dedicated ransomware response playbook.
Every factory needs a clear plan for who to call and what to do if its control networks are compromised. This includes regular tabletop drills and coordination between IT security, OT engineers, and executive leadership. Preparation and planning saves lives, especially when outages can endanger workers or the public.
Upgrading Cyber Security Tech
On the technology side, rigorous network segmentation and monitoring is essential. Continuous monitoring and logging (SIEM) across both IT and OT systems allows early detection of any intrusions. IT and OT domains should be isolated in zones with strict access controls so that a breach in the enterprise network can’t freely jump into production equipment.
Strong access management is especially important where remote connections reach critical assets. In practice, this means tracking all remote sessions, anomalies, and failed logins so that threat hunters can catch suspicious activity before damage occurs.
Adding to this, requiring strict verification for every user and device through Zero Trust architectures can prevent attackers from moving laterally even if they gain an initial foothold. Given the sophistication of modern threats, manufacturers should also leverage emerging tools like AI-powered anomaly detection to spot subtle signs of compromise faster.
Adopting next-generation defenses helps: deploy industrial-grade firewalls and intrusion detection systems at key junctions, and use endpoint security tailored for OT when available.
Regular patch management and inventory are also mandatory. Manufacturers must catalog every device, even legacy controllers, and apply security patches and firmware updates whenever possible. While some embedded systems are hard to patch, workarounds like network segmentation and virtual patching can mitigate risks until legacy systems can be replaced.
Empowering People and Processes
Beyond technology, people and processes are equally important. Every employee, from plant floor operators to executives, needs training on security best practices. Regular phishing simulations and awareness sessions can help workers spot the increasingly personalized attacks seen today.
The manufacturing leadership team must promote a security culture where reporting odd emails or outages is encouraged. Supply-chain risks should be managed aggressively: vet your suppliers’ cybersecurity practices and insist on contractual safeguards, since attackers often exploit third-party vendors as stepping-stones.
Robust offline backup systems are a final safeguard. You can maintain immutable backups of critical OT data and configurations so that even if ransomware encrypts servers, production can be restored without paying extortion.
Finally, adopt a continuous improvement mindset: conduct regular penetration tests and red-team exercises that simulate ransomware incursions in OT environments. Specialized penetration testing can reveal hidden vulnerabilities before adversaries find them. Any gaps you uncover, whether a forgotten test account on the HMI or an unpatched VPN gateway, should be remediated immediately. Pair these tests with ongoing threat intelligence sharing so defenses evolve with the adversary.
Ransomware gangs clearly have manufacturers in their sights. Factories are uniquely vulnerable: the cost of downtime is tremendous, and any production delay can reverberate through the supply chain. To safeguard operations and stay competitive, manufacturers cannot be complacent. The path forward is a proactive, integrated security posture: unifying IT and OT defense, enforcing Zero Trust, training personnel, and preparing response plans. You must treat cybersecurity as a business-critical function by investing in multi-layered protections to build true resilience.
