Why ransomware groups love manufacturers - and what to do about it

It almost never starts on the shop floor. It starts in a mailbox in finance, operations or quality. Someone clicks a link or opens an attachment, the attacker establishes a foothold on a Windows laptop, and they wait.

Over the next few days or weeks they map the network, find file shares, escalate privileges via a service account or a poorly-protected admin, and pre-stage their tooling. The actual encryption happens on a quiet Saturday morning, when detection is slow and the recovery team is at a barbecue.

By Monday, the ERP can't reach the database, the planning files are encrypted, the shared drives the line depends on are gone, and nobody has the backups they thought they did.

The single most common cause of a long outage is a backup story that was configured but never tested. Tapes that haven't been rotated. Cloud backups that turned out to be in the same identity boundary as the attacker. Snapshots that were retained for seven days when the attacker dwelled for fourteen.

Modern ransomware groups know how backups work. They look for them, delete them, and disable the backup software early. The only backups that survive are off-tenant, immutable, and tested by restore.

MFA everywhere, enforced by conditional access, not optional. This alone prevents the great majority of credential-based intrusions.

A real backup of Microsoft 365 and ERP that has been restored, not just configured. Immutable storage, off-tenant, with a documented recovery time and recovery point objective.

Segmented networks, so the inevitable initial foothold can't spread to the file shares the line depends on. The previous post on OT/IT segmentation goes deeper on this.

Endpoint detection and response watched by someone competent. Either an internal team or a managed SOC. The product matters less than whether anyone is looking at it.

A tabletop exercise that the leadership team has actually sat through. The first time the operations director hears the question 'do we pay?' shouldn't be the day it matters.

Most manufacturing boards approve cyber spend after a peer in their network has an incident. Trying to get ahead of that is the right move and the harder one. The board doesn't need a technology briefing; it needs a clear set of business questions answered.

How long can we be down before it threatens covenants or customer contracts? What's our committed recovery time? What's the gap between that and what we can actually deliver today? Where would the money be best spent to close that gap?

If those four questions have answers in your board pack, you're in the upper half of the sector. If they don't, that's the conversation to have at the next meeting.

The honest answer is that paying is sometimes a rational business decision in the moment. That doesn't mean it should be the strategy. Decisions made in extremis are not the place to discover your incident response plan was three pages long and out of date.

Plenty of manufacturers have paid and still spent two weeks recovering. The decryptor doesn't restore the line on its own. The work to get back to production happens regardless.

Good looks boring. MFA is on. Backups are tested. The SOC is awake on a Saturday. The leadership team has a playbook. There's a relationship with an incident response firm before there's an incident, not after.

None of this stops attempts. It stops attempts becoming incidents, and incidents becoming the kind of week that ends with a profit warning.

Most manufacturers haven't actually rehearsed a full ERP and file share recovery. The backups exist, the runbooks exist, but the team has never sat down on a Saturday and worked through the sequence. The first time they do it is during an incident, with the operations director in the room, and it goes badly.

A live exercise once a year, restoring the ERP into an isolated environment and running a planning cycle against it, catches the things the runbooks missed. Service accounts that won't authenticate, integration endpoints that point at the wrong place, third-party connectors that need re-keying. Better to find these in a controlled exercise than under pressure.