Encryption rates fall to a five-year low, yet extortion-only attacks rise as adversaries shift tactics
Sophos has released its State of Ransomware in Manufacturing & Production 2025 report, revealing a complex shift in ransomware behaviour targeting the global manufacturing sector. While the industry is stopping more attacks before data encryption, cybercriminals are increasingly stealing data and executing extortion-only campaigns to maintain leverage over victims.
According to the independent survey of 332 manufacturing organisations hit by ransomware in the past year, only 40% of attacks resulted in data encryption—a steep drop from 74% last year and the lowest level reported in five years. However, extortion-only attacks jumped from 3% to 10%, highlighting adversaries’ growing focus on data theft over encryption.
Despite improved early detection, the threat impact remains significant. 39% of manufacturers that were encrypted also had data stolen, one of the highest cross-sector rates. Meanwhile, 50% of organisations successfully stopped attacks before encryption, more than double the previous year’s figure.
“Manufacturing depends on interconnected systems where even brief downtime can halt production. Attackers exploit this pressure—making layered defenses and practiced response plans absolutely essential.”
— Alexandra Rose, Director of Threat Research, Sophos CTU
The study reveals systemic challenges within manufacturing cybersecurity environments. Nearly 42.5% cited a lack of expertise, while 41.6% reported unknown security gaps and 41% acknowledged inadequate protection. On average, respondents pointed to three internal factors that enabled the breach.
Financial and operational fallout also remains substantial. More than half (51%) of organizations with encrypted data paid the ransom, with a median payment of USD 1 million. Encouragingly, recovery costs—excluding ransom—fell by 24% to USD 1.3 million, and 58% of organisations fully recovered within a week, up from 44% in 2024.
Sophos X-Ops also tracked ransomware group behaviour across leak sites, identifying 99 threat groups targeting manufacturers, including Akira (GOLD SAHARA), Qilin (GOLD FEATHER) and PLAY (GOLD ENCORE). Double-extortion attacks—stealing and encrypting data—dominated more than half of all emergency incidents Sophos remediated.
To strengthen long-term resilience, Sophos recommends eliminating root-cause vulnerabilities, deploying advanced endpoint defenses, practising incident-response readiness, and ensuring 24/7 visibility through MDR services.
The full Sophos State of Ransomware in Manufacturing & Production 2025 report is available for download.
