Sophos has released its State of Ransomware in Manufacturing and Production 2025 report, revealing a significant shift in attacker behaviour as manufacturers improve their early-stage defences. The global study, based on a survey of 332 organisations hit by ransomware in the past year, shows that although data encryption rates have fallen sharply, adversaries are increasingly turning to data theft and extortion-only tactics to gain leverage.
According to the report, only 40 per cent of ransomware attacks on manufacturers resulted in data being encrypted – the lowest level in five years and a steep drop from 74 per cent in 2024. At the same time, extortion-only attacks have surged from 3 per cent to 10 per cent year-on-year, underscoring a broader shift towards data theft as the primary pressure point. Of the organisations that did experience encryption, 39 per cent also had data stolen – one of the highest cross-sector rates recorded by Sophos.
The study also highlights an improvement in early detection. Half of manufacturing organisations stopped an attack before encryption could occur, more than doubling last year’s 24 per cent. Despite these defensive gains, 51 per cent of those that did suffer encryption still paid the ransom, with the median payment sitting at US$1 million against a median demand of US$1.2 million.
Recovery metrics have improved, with average recovery costs (excluding ransom) dropping 24 per cent to US$1.3 million. The majority of organisations – 58 per cent – fully restored operations within one week, up from 44 per cent last year. However, the human impact remains severe: 47 per cent of respondents reported increased stress on IT and security teams, 44 per cent said pressure from senior leadership rose, and more than a quarter experienced leadership changes following the incident.
Sophos X-Ops observed 99 distinct ransomware groups targeting manufacturing organisations over the past 12 months. Among the most active were Akira (GOLD SAHARA), Qilin (GOLD FEATHER) and PLAY (GOLD ENCORE). In more than half of the incidents handled by Sophos Emergency Incident Response, attackers engaged in double extortion, both stealing and encrypting data, and threatening to publish sensitive information on leak sites.
Alexandra Rose, Director of Threat Research at Sophos’ Counter Threat Unit, said the operational sensitivity of manufacturing continues to make it an attractive target. She noted that even brief downtime can disrupt production and supply chains, giving attackers strong leverage. Despite the reduction in encryption rates, Rose said the financial and operational fallout remains significant, reinforcing the need for layered defences, continuous visibility and well-drilled incident response processes.
To strengthen resilience, Sophos recommends addressing root-cause vulnerabilities, deploying robust endpoint and server protection, maintaining and testing incident response plans and backups, and ensuring around-the-clock monitoring. For organisations lacking internal resources, partnering with a Managed Detection and Response provider can significantly improve threat visibility and reduce the impact of attacks.
You can read the full report here.
