Sophos report finds encryption rates falling dramatically, but manufacturing firms are increasingly paying up as attackers resort to stealing sensitive data for leverage
Manufacturing and production companies are proving more successful at halting ransomware attacks before systems are encrypted, but this progress is forcing attackers to adopt more aggressive extortion tactics involving data theft, according to new research from global cybersecurity leader Sophos.
The annual Sophos State of Ransomware in Manufacturing and Production 2025 report reveals a significant change in the cyber threat landscape for the sector, which remains highly vulnerable due to its dependence on interconnected, time-sensitive systems.
Encryption Rate Halves, Extortion Surges
The most striking finding is the dramatic reduction in successful data encryption. Only 40 per cent of ransomware attacks on manufacturers resulted in encrypted data, a five-year low and a sharp drop from 74 per cent the previous year. This suggests 50 per cent of organisations are now successfully stopping attacks before the critical encryption phase.
However, adversaries are not giving up. As encryption becomes harder, “extortion-only” attacks—where the attacker steals data and threatens to leak it without ever encrypting the victim’s network—have surged to 10 per cent, up from just 3 per cent in 2024. Furthermore, 39 per cent of manufacturers that faced encryption also had their data stolen, highlighting the prevalence of “double extortion.”
Despite the improved ability to block encryption, the financial and operational pressure remains high. More than half of affected manufacturers (51 per cent) still paid the ransom, with the median ransom settling at USD 1 million.
Cost & Organisational Impact
“Manufacturing depends on interconnected systems where even brief downtime can stop production and ripple across supply chains,” said Alexandra Rose, Director of Threat Research at Sophos. “Attackers exploit this pressure: despite encryption rates falling to 40 per cent, the median ransom paid still reached USD 1 million.”
The average recovery cost, excluding any ransom payment, declined by 24 per cent to USD 1.3 million. On a positive note, recovery times are improving, with 58 per cent of manufacturers fully recovering within one week, up from 44 per cent last year.
The report also highlighted the internal struggles facing the industry, with 42.5 per cent of organisations citing a lack of security expertise and 41.6 per cent pointing to unknown security gaps as contributing factors to successful attacks.
Ransomware incidents led to significant organisational stress: 47 per cent reported increased team stress, and 27 per cent experienced leadership changes as a direct result of an attack.
Sophos X-Ops identified the groups Akira (GOLD SAHARA), Qilin (GOLD FEATHER), and PLAY (GOLD ENCORE) as the most prominent ransomware threats targeting the global manufacturing sector.
