Manufacturing Under Siege: The Recent Ransomware Spike

A Perfect Storm for Industrial Cybersecurity

Across factory floors, robotic arms stand frozen mid-motion. Covneyor belts stop. Orders pile up. Ransomware has become the most disruptive cyber threat facing modern manufacturing. Attack groups are no longer just encrypting data, they are shutting down production lines, halting shipments, and crippling supply chains. 

What makes the current wave more alarming is not only the scale of the attacks, but also the sophistication of the methods. Adversaries are now exploiting vulnerable drivers and kernel-level techniques to blind endpoint detection and response (AV/EDR/XDR) tools before unleashing encryption. In these moments, even well-protected organizations can suddenly find themselves without visibility or defenses. This means facing weeks of downtime and multimillion-dollar losses.

Average Downtime Following Ransomware

The numbers tell a grim story. According to Comparitech research (2024), between 2018 and October 2024, at least 858 manufacturing companies suffered ransomware incidents, resulting in a collective estimated loss of $17 billion due to prolonged operational disruptions. On average, downtime following ransomware attacks in this sector lasts 11.6 days, with each day costing approximately $1.9 million. These statistics make clear what operators already know: ransomware’s severe financial and operational toll is staggering, and the clock starts ticking the moment systems go dark.

Surge in Ransomware Affecting Industrial Organizations

By 2024, ransomware had evolved from a nuisance to an existential threat for industrial organizations. That year saw a sharp increase in ransomware attacks:  1,693 recorded cases, marking an 87% year-over-year rise. The operational impact was considerable: one is four incidents caused complete shutdowns while three-quarters led to partial disruptions across operations. Dragos’ Year in Review (2025) confirms what most plant managers suspected: manufacturing remains the most frequently targeted sector.

The trend continued into 2025. In Q1 alone, Dragos identified 708 ransomware incidents impacting industrial entities globally, up from roughly 600 in the previous quarter. Dragos reported that manufacturing accounted for 68% of those.

2025 Ransomware Incidents

The headlines in 2025 read like a cautionary timeline. On August 16, 2025, Data I/O reported a ransomware event that disrupted production. While some capabilities were restored, others remained offline for weeks as investigators combed through systems with no timetable provided. The disclosure, taken directly from the company’s Form 8‑K filing, underscores how even public companies are still struggling for transparency and recovery timelines.

Earlier in the year, PCB giant Unimicron was also hit by a ransomware attack attributed to the Sarcoma group, which forced a partial operational shutdown. By Q1’s end, the manufacturing sector had become the hardest-hit sector worldwide, representing 68% of all ransomware incidents against industrial organizations.

The Jaguar Land Rover ransomware incident

Perhaps no case captured public attention more than the Jaguar Land Rover’s. Production across its global plants came came to a standstill, with downtime stretching  beyond a month. Losses topped  £50M per week as roughly 1,000 vehicles a day went unbuilt. The crisis hit during “New Plate Day”, one of the UK’s busiest sales periods – not a coincidence.

Investigators had to complete forensics before restarting operations to avoid erasing critical evidence, a key factor prolonging the outage. The lack of proper network segmentation allowed attackers to impact both IT and OT systems, amplifying the damage. To stabilize operations and protect its supply chain, the company secured a £1.5 billion UK government-backed loan guarantee.  Local media coverage called it the “biggest cyber-attack experienced in the UK economy”.

Novel attack techniques bypassing traditional EDR/XDR

As ransomware operators evolve, they’re adopting increasingly advanced methods to outmaneuver modern detection and response systems. Case in point, the following techniques stand out for their sophistication and impact.

1. The first known AI-powered ransomware: 

According to ESET’s August 2025 research, the newly identified PromptLock ransomware marks the emergence of the first known AI-powered variant. Rather than relying on traditional, signature-based detection evasion, PromptLock dynamically generates malicious Lua scripts on the fly using the gpt-oss:20b model accessed via the Ollama API. Executed across Windows, macOS, and Linux environments, this real-time, non-deterministic script generation enables it to slip past heuristic and behavioral EDR/XDR defenses, as each execution differs subtly, which frustrates pattern-based detection. The attack runs entirely on the local host, sidestepping centralized AI service APIs and limiting exposure to network-level and signature-based monitoring.

2. BYOVD (Bring Your Own Vulnerable Driver) to blind EDR/XDR: 

Ransomware operators continue to push the limits of creativity in their battle with defenders. The latest findings around Akira show just how far they’re willing to go. Incident response investigations by GuidePoint Security reveal that the group weaponized a Bring-Your-Own-Vulnerable-Driver (BYOVD) chain – an increasingly common but highly effective tactic. In Akira’s case, attackers drop a legitimate Intel performance driver (rwdrv.sys) alongside a malicious helper (hlpdrv.sys), giving them the ability to tamper with system controls and effectively blind EDR/XDR tools at the kernel level. GuidePoint’s report doesn’t stop at theory; it provides defenders with actionable resources, including hashes, service names, and YARA rules.

A Growing Need for BYOVD

Akira is hardly alone. Other operators have abused the Microsoft-signed Process Explorer driver (procexp.sys) to terminate security processes before payload deployment. BleepingComputer’s analysis of AuKill, documents how this approach, popularized by tools like Backstab, can neutralize even protected processes, giving ransomware affiliates a free hand. 

More recently, the disclosure of CVE-2025-0289 in Paragon’s driver opened yet another door for exploitation, a reminder that even trusted, signed software can become a weapon when attackers bring it into play.

The message for defenders is clear: ransomware groups are systematically refining ways to turn legitimate drivers into tools of subversion. Security teams must now treat trusted components with the same suspicion as they reserve for malware.

Why Cyber Recovery Resilience Matters Most

By the time an attack unfolds, endpoint agents are often the first casualties. True resilience now depends on the ability to restore operations safely and quickly from clean, verifiable backups. Manufacturers must assume that both on‑prem and cloud backups could be targeted or encrypted, and design accordingly with immutable, isolated recovery paths. 

Given an average downtime of 11.6 days costing $1.9M per day, every hour saved matters. Manufacturers must prioritize resilient recovery. Attackers are expected to continue advancing kernel-level evasion methods and leveraging increasingly sophisticated AI techniques, making prevention alone no longer enough. Organizations that pair strong controls with battle‑tested backup and recovery can transform ransomware from a sector‑wide crisis into a recoverable event with bounded impact. 

The takeaway is sobering but clear: no one is fully immune. In this new era of intelligent ransomware, resilient recovery is more essential than ever. It’s not just a best practice; it’s the last line of defense.