Manufacturing industry blocks more ransomware attempts, while adversaries shift to data theft: Sophos report

Sophos announced new findings from the Sophos State of Ransomware in Manufacturing and Production 2025 report. The study reveals that manufacturers are stopping more ransomware attacks before data can be encrypted; however, adversaries are increasingly stealing data and using extortion-only tactics to maintain pressure. As a result, more than half of manufacturing organisations impacted by encryption paid the ransom despite progress in defensive measures. The report is based on an independent survey of 332 manufacturing organisations that were hit by ransomware in the last year.

The Sophos State of Ransomware in Manufacturing and Production report found:

• Encryption rates are falling, but adversaries are shifting tactics: 40% of attacks on manufacturers resulted in data encryption, the lowest level in five years and down from 74% last year. However, extortion only attacks surged to 10% from just 3% in 2024 as attackers increase reliance on data theft for leverage.
• Data theft remains a significant concern: 39% of manufacturers that experienced encryption also had data stolen, one of the highest rates across all surveyed sectors.
• More organisations are stopping attacks before encryption: 50% of manufacturing organisations stopped the attack before data could be encrypted, more than double last year’s 24%.
• Expertise shortfalls and inadequate protection fuel attacks: Lack of expertise was cited by 42.5% of organisations. Unknown security gaps were cited by 41.6%, and a lack of protection by 41%. Respondents identified an average of three internal factors that contributed to the attack.
• More than half of manufacturers with encrypted data paid the ransom: 51% of affected organisations paid the ransom. The median ransom paid was $1 million dollars, compared to a median demand of $1.2 million dollars.
• Recovery costs and timelines are improving: The average cost to recover from a ransomware attack, excluding ransom payment, declined by 24% to $1.3 million dollars. 58% of manufacturers fully recovered within one week, up from 44% last year.
• Ransomware incidents affect IT and security teams: 47% of manufacturers reported increased team stress after experiencing data encryption. 44% said pressure from senior leaders increased, and 27% reported leadership change as a result of the attack.

“Manufacturing depends on interconnected systems where even brief downtime can stop production and ripple across supply chains,” said Alexandra Rose, Director of Threat Research, Sophos Counter Threat Unit. “Attackers exploit this pressure: despite encryption rates falling to 40%, the median ransom paid still reached $1 million. While half of manufacturers stopped attacks before encryption, recovery costs average $1.3 million and leadership stress remains high. Layered defences, continuous visibility, and well-rehearsed response plans are essential to reduce both operational impact and financial risk.”