Sophos announced new findings from its State of Ransomware in Manufacturing and Production 2025 report, revealing how ransomware attacks are evolving across the sector. The company reported that manufacturers are stopping more attacks before data can be encrypted; however, adversaries are increasingly stealing data and relying on extortion-only tactics. The survey includes insights from 332 manufacturing organizations hit by ransomware in the past year.

The report revealed that 40% of attacks resulted in data encryption, the lowest level in five years and down from 74% last year. However, extortion-only attacks increased to 10% from 3% in 2024, showing a shift toward data theft for leverage. Sophos reported that 39% of organizations that experienced encryption also had data stolen, one of the highest rates across all industries surveyed.

Additionally, 50% of manufacturers stopped the attack before data could be encrypted, more than double last year’s 24%. Despite this progress, lack of expertise was cited by 42.5% of organizations, while unknown security gaps were cited by 41.6% and lack of protection by 41%. Respondents identified an average of three internal factors that contributed to the attack.

More than half of manufacturers impacted by data encryption paid the ransom. Sophos revealed that 51% of victims paid, with a median payment of $1 million compared to an average demand of $1.2 million.

The report also found improvements in recovery. The average cost to recover, excluding ransom payments, declined by 24% to $1.3 million. Furthermore, 58% of manufacturers fully recovered within one week, up from 44% last year. However, ransomware attacks still affected IT and security teams. Sophos reported that 47% experienced increased stress, 44% saw greater pressure from senior leaders, and 27% reported leadership changes after the incident.

Key findings highlighted include:
• Extortion-only ransomware attacks are rising.
• Recovery times are improving despite high financial impact.
• Encryption rates are falling, but ransomware attacks remain severe.

Alexandra Rose, Director of Threat Research at Sophos, said manufacturing depends on interconnected systems where even brief downtime disrupts production and supply chains. She revealed that attackers exploit this pressure, noting that even with encryption rates falling to 40%, the median ransom still reached $1 million. She added that layered defenses and continuous visibility are essential to reduce risk.

Sophos X-Ops reported that 99 threat groups targeted manufacturing organizations over the last year. The most active groups included GOLD SAHARA (Akira), GOLD FEATHER (Qilin), and GOLD ENCORE (PLAY). The company also revealed that in more than half of the incidents handled by Sophos Emergency Incident Response, attackers both stole and encrypted data, demonstrating widespread use of double extortion.

To strengthen long-term resilience, Sophos recommended eliminating root causes, defending every endpoint, planning and testing response strategies, and maintaining 24/7 monitoring through MDR services. The company stated that these measures can help manufacturers stay ahead of ransomware attacks and reduce operational and financial disruption.

Related post

View all