Sophos finds rise in data theft as encryption declines in manufacturing attacks
A new Sophos report shows that fewer ransomware attacks in manufacturing end with encrypted data, but attackers are stealing more information and leaning on extortion-only methods.
Ransomware continues to challenge manufacturing companies, but new findings show a shift in how these attacks play out. A recent Sophos report on ransomware in manufacturing and production shows that fewer attacks end with encrypted data, yet more attackers are turning to data theft and extortion to pressure victims. The study draws on responses from 332 manufacturing organizations hit by ransomware in the past year.
One of the biggest changes is the drop in encryption. Only 40% of attacks on manufacturers resulted in data encryption, the lowest in five years and a steep fall from 74% the year before. At the same time, extortion-only cases grew from 3% to 10%. Attackers are leaning on stolen data to force payment even when encryption fails.
Data theft remains a major concern. Among organizations that faced encryption, 39% also had data stolen. This is among the highest theft rates reported across the sectors included in the study.
The report also shows that more manufacturers are managing to stop attacks earlier. Half of the surveyed organizations blocked the attack before data could be encrypted, more than double the share from the previous year.
Still, the findings point to weaknesses that make these companies vulnerable. Many respondents cited missing expertise, unknown security gaps, or a lack of protection. On average, each organization pointed to three internal issues that played a part in the incident.
Even as more companies stop attacks sooner, many that suffer encryption still pay the ransom. According to the report, 51% of these organizations paid. The median payment reached $1 million, compared to a median demand of $1.2 million.
Recovery costs and timelines have improved, however. Excluding ransom payments, the average recovery cost dropped to $1.3 million, a 24% decrease from the previous year. More organizations are returning to normal operations faster—58% recovered within a week, up from 44%.
Ransomware incidents also carry internal fallout. Nearly half of affected manufacturers said IT and security teams faced higher stress after dealing with encryption. Many reported increased pressure from senior leaders, and more than a quarter said the incident led to leadership changes.
"Manufacturing depends on interconnected systems where even brief downtime can stop production and ripple across supply chains," said Alexandra Rose, Director of Threat Research, Sophos Counter Threat Unit.
"Attackers exploit this pressure: despite encryption rates falling to 40%, the median ransom paid still reached $1 million. While half of manufacturers stopped attacks before encryption, recovery costs average $1.3 million and leadership stress remains high. Layered defenses, continuous visibility, and well-rehearsed response plans are essential to reduce both operational impact and financial risk," added Rose.
Sophos X-Ops also tracked activity from ransomware groups over the past year. Its review of leak sites shows that 99 threat groups targeted manufacturing organizations. Groups known as GOLD SAHARA (Akira), GOLD FEATHER (Qilin), and GOLD ENCORE (PLAY) appeared most often.
In more than half of the incidents handled by Sophos' emergency response team, attackers both encrypted and stole data, using it as leverage through double-extortion tactics.
Drawing on its work with manufacturers, Sophos pointed to a few practices that may help reduce risk: address common weak spots that attackers rely on, keep all endpoints—including servers—protected, maintain and test incident response plans, and ensure round-the-clock monitoring, either in-house or through an MDR provider.