It’s 2:47 AM on a Saturday in March. A 90-employee aerospace component manufacturer in Anaheim is closed for the weekend. The night-shift cleaning crew left an hour ago. The plant manager is asleep at home in Yorba Linda. And on a virtual machine inside the company’s flat network, an encryption process that has been quietly waiting for the right moment begins systematically rewriting every file it can reach.
By 5:00 AM, the file server is encrypted. The CAD workstations are encrypted. The ERP system is encrypted. The MES system that pushes job tickets to the CNC machines is encrypted. The backup NAS — sitting on the same network, because it always has been — is encrypted. And on every workstation in the building, a single .txt file has appeared with payment instructions in broken English and a deadline measured in hours.
This is not a hypothetical scenario. It is the operational reality for 1,466 manufacturing companies attacked by ransomware in 2025 — a 56% surge over the previous year. The companies losing this fight are losing on average 11.6 days of production, at a documented average cost of $1.9 million per day. The hour-by-hour mechanics of what happens between the encryption process starting and the plant restarting are what every Orange County manufacturer needs to understand before it happens, not after.
Here’s the timeline.
The week before: what your CFO never sees
The attack didn’t actually start at 2:47 AM Saturday. It started 17 days earlier, on a Tuesday afternoon, when the purchasing manager opened a PDF that looked like a quote from a regular vendor. The PDF ran. Nothing happened. Or rather, nothing visible happened — what actually happened is that a credential-stealing payload installed itself silently and began collecting passwords from her browser, her saved network shares, and her email.
For the next two and a half weeks, attackers mapped the network. They identified the ERP server, the file shares, the backup NAS, the CAD workstations, the MES system, the domain controller. They learned that the plant runs three shifts but that Saturday and Sunday are skeleton crew. They observed that the network is flat — every workstation can reach every server. They identified the IT vendor, monitored when they typically log in, and noted the response time for after-hours alerts (slow). They positioned encryption payloads on every server in the environment and waited.
The attack at 2:47 AM Saturday is the visible part of the iceberg. The 17 days of reconnaissance, by an attacker with credentialed access who was reading the bookkeeper’s email and watching the CFO send wire instructions, is the part nobody knew about and nobody will ever quantify.
Hour by hour: the day it goes sideways
T+0 (Saturday, 2:47 AM): Encryption begins on the file server. Because the network is flat, the encryption process spreads to every reachable system over the next two hours. The backup NAS is hit at 3:51 AM.
T+5 hours (Saturday, 8:00 AM): The shipping manager comes in to handle a Saturday rush order. His workstation won’t authenticate. He notices the ransom note. He calls the plant manager.
T+6 hours (Saturday, 9:00 AM): The plant manager arrives. He calls the IT vendor’s emergency line. The on-call technician calls back 45 minutes later. By 10:30 AM, the IT vendor confirms what the plant manager already suspected: ransomware, broad encryption, backup likely compromised. The IT vendor recommends calling the FBI and a breach response firm. Neither has been pre-identified. Time is spent Googling.
T+12 hours (Saturday, 2:47 PM): The CEO is informed. The CFO is informed. The board is informed. A conference call is held. The decision tree starts to take shape: pay the $1.16 million ransom (the industry average for 2025), or attempt to rebuild from whatever backups might be salvageable. Breach counsel is engaged for $50,000 in retainer fees. A forensic incident response firm is engaged at $400/hour with a 100-hour minimum.
T+24 hours (Sunday, 2:47 AM): The forensic firm has identified the entry point (Tuesday’s PDF, 17 days ago), confirmed the attacker had domain admin access, and confirmed the backups are encrypted because they lived on the same network. The cyber insurance broker is on the call. The insurance carrier sends an initial response — they will need to review whether the application’s representations about MFA and backup isolation match the post-breach findings before coverage is confirmed. This is not what anyone wanted to hear.
T+48 hours (Monday morning): Production is supposed to start at 6:00 AM. It doesn’t. The MES system that pushes job tickets to the CNC machines is offline. The ERP system that tracks inventory and shipments is offline. The plant has paper records of the next two days of jobs, so some work can continue manually — but quality records, traceability, and shipment documentation cannot. For aerospace work, the lack of traceability means the parts cannot be shipped to the prime contractor. Production effectively stops.
T+72 hours (Tuesday morning): Three customers call the CEO. They’ve heard about the attack through industry channels. They want to know if their deliveries are on schedule. The CEO has to choose between honesty (that hurts existing relationships) and ambiguity (that hurts trust when discovered). One customer puts the company on a “supplier risk hold” pending resolution. The two-week production schedule starts shifting outward.
Day 4–7: The forensic firm completes its containment work. The decision is made to rebuild from older offline backups (made monthly by the IT vendor, somewhat coincidentally, and not encrypted by the attack). The rebuild begins. ERP data is restored to a state from 31 days ago. A month of inventory transactions, quality records, and shipping data must be reconstructed manually from paper records, emails, and bank statements. Three temp workers are hired for data entry.
Day 7–14: Production restarts at reduced capacity. The MES system is operational but missing 31 days of job history. CNC operators are recalibrating machines and re-validating tools because the configuration data was reconstructed from snapshots. Aerospace prime contractors are notified of the incident and require additional documentation before accepting future shipments. One prime initiates a supplier audit. Industry compliance review begins.
Day 14–60 (the long tail): Cyber insurance is still in dispute over whether application representations matched reality. Class action attorneys file a complaint on behalf of employees whose payroll data was exposed. The Department of Justice’s Civil Cyber-Fraud Initiative opens an inquiry because the company is a defense subcontractor and the SPRS score from the prior year may not have been accurate. Two key customers have moved business to competitors. The CFO updates the year’s financial forecast downward.
The financial damage, line by line
| Cost category | Typical range for a mid-sized OC manufacturer |
|---|---|
| Production downtime (11.6 days avg) | $2M–$22M (depending on margin, capacity, customer mix) |
| Forensic incident response | $80K–$400K |
| Breach counsel | $50K–$300K |
| Ransom (if paid) | $1.16M industry average; some demands $51M–$200M |
| Hardware/software rebuild | $50K–$500K |
| Data reconstruction labor | $30K–$150K |
| Notification & credit monitoring | $10–$50 per affected employee/customer record |
| Customer churn (12-month impact) | 10–30% of affected accounts; revenue impact often dwarfs other costs |
| Cyber insurance dispute (if denied) | Full claim value at risk; see Travelers v. ICS pattern |
| CMMC/SPRS regulatory exposure | $4.6M–$11.25M (MORSE, Health Net settlement examples) |
The supply chain ripple nobody talks about
A factory ransomware attack doesn’t stop at the factory walls. In aerospace and defense manufacturing — heavily concentrated in Orange County — a single mid-tier supplier going offline for two weeks ripples directly into delivery schedules at the primes. The 2025 Collins Aerospace ransomware attack disrupted multiple European airports for days. JBS Foods’ 2021 attack caused meat shortages across North America. Clorox’s 2023 attack created store shelf shortages and forced a revised financial forecast.
For OC manufacturers serving primes — and for the primes themselves — the question isn’t whether your supplier might get hit. It’s whether your business continues to operate when a critical supplier disappears for 11.6 days. Most manufacturers haven’t done this risk modeling. Their primes increasingly have, and they’re starting to require evidence of their suppliers’ cybersecurity posture as a condition of continued business.
Why manufacturing specifically gets this treatment
Three structural factors make manufacturing the most-attacked sector for the fifth year running, per IBM’s X-Force data. First, operational technology (OT) — the CNC machines, the PLCs, the SCADA systems — runs on software that’s notoriously difficult to patch. 80% of manufacturers harbor critical vulnerabilities in legacy OT systems. Second, manufacturing has the lowest tolerance for downtime of almost any sector, which attackers know means a higher willingness to pay. Third, intellectual property — drawings, processes, formulations, customer lists — is sitting on the same flat network as everything else, ready to be exfiltrated and used as additional leverage.
Add to this the rise of “extortion-only” attacks, which jumped from 3% to 10% of manufacturing incidents in 2025. In these scenarios, attackers don’t bother encrypting anything — they just steal IP and threaten to release it publicly unless paid. The pressure is the same; the recovery path is worse, because there’s nothing to restore.
What every OC manufacturer should have ready before this hits
You can’t prevent every initial compromise. Phishing works, vulnerabilities exist, employees click. What you can control is what happens between the click and the catastrophe — and almost all of that is preparation, not response. The honest playbook for a 50–500 employee Orange County manufacturer:
- Segment the network. Production floor, office, IoT, backups, and guest WiFi on separate VLANs with firewall rules between them. If your file server can be reached from a CNC operator’s workstation, your blast radius is the entire plant.
- Isolate and test backups. Immutable, off-network, tested monthly against a ransomware scenario. Backups on the same network as production are not backups — they’re additional encryption targets.
- Deploy real EDR and 24/7 monitoring. Antivirus catches yesterday’s malware. EDR catches anomalous behavior in real time. Without monitoring, “real-time” doesn’t matter.
- Enforce MFA everywhere. Email, VPN, ERP, MES, file shares, RDP, admin accounts. Every door. The 17-day reconnaissance window in the scenario above closes dramatically if attackers can’t move with stolen credentials.
- Pre-identify breach counsel, forensic responder, and insurance contacts. Have the phone numbers in a binder, printed, in the plant manager’s office. The first hour of an incident is not the time to start Googling.
- Run a tabletop exercise. Once a year. Walk the executive team and IT through exactly what the first 72 hours look like. The exercise reveals the gaps that the real incident would surface — but cheaper and without consequences.
- Build CMMC compliance into the foundation, not as an afterthought. For defense subcontractors, CMMC-aligned cybersecurity for OC manufacturers is becoming the baseline expected by primes, and most of the controls that prevent ransomware also satisfy CMMC requirements.
None of this is novel. The reason it isn’t implemented at most OC manufacturers is the same reason it wasn’t implemented at the 1,466 companies hit in 2025: it requires real cybersecurity expertise, real ongoing investment, and a real managed IT and security partner who treats the plant floor as part of the security perimeter — not someone else’s problem.
The honest version
A ransomware attack on a manufacturer is not a single event. It’s a 72-hour operational crisis followed by a 60-day financial and reputational crisis followed by a year-long trail of regulatory, legal, and customer-relationship consequences. The companies that survive it well are the ones that decided what their first 24 hours would look like before they had to do it for real. The companies that handle it poorly are the ones that improvise during the active fire.
The 1,466 manufacturers attacked in 2025 weren’t selected because they were the biggest or the most valuable. They were selected because they were available — flat networks, weak monitoring, missing MFA, untested backups, no IR plan, and an IT vendor who handles printers fine but isn’t a security partner. Orange County’s manufacturing base is full of facilities matching that profile. The attackers know. The question is whether the plant manager does too.
Intelecis runs ransomware-readiness assessments for Orange County manufacturers as part of every free security review — including a documented walk-through of what your plant would actually do in hour 1, hour 12, and hour 72 of an incident. NSA-Accredited, with documented experience across CMMC, aerospace, defense, and precision manufacturing environments. Book a discovery call and we’ll show you exactly where your gaps are, in writing.
📞 949-266-2088 · Fullerton, CA · NSA-Accredited · Serving OC since 2010
Related reading:
CMMC Compliance for OC Manufacturers ·
Managed IT Services in Orange County ·
Network Segmentation: The $50 Fix That Stops $500K Breaches ·
Your Cyber Insurance Policy Will Be Denied: The Clause Insurers Are Using ·
Schedule Your Free Security Assessment

