New data from the Sophos State of Ransomware in Manufacturing and Production 2025 report delivers a stark, two-part message for the industry: defenses are improving, but attackers are adapting faster. While manufacturing organizations are successfully stopping more ransomware attacks early on, adversaries are pivoting aggressively to data theft and extortion to maintain leverage.
Based on an independent survey of 332 manufacturing organizations, the findings highlight both the progress the industry has made and the crucial, evolving threats it still faces.
The 2025 Sophos report underscores a significant shift in the cyber battlefield targeting manufacturers:
- Falling Encryption, Rising Extortion
Positive Trend: Only 40% of attacks on manufacturers resulted in data encryption, the lowest level in five years (down sharply from 74% last year). This shows a marked improvement in early detection and defense. Adversary Pivot: However, this progress is offset by the dramatic rise of extortion-only attacks, which surged from 3% to 10% of incidents. Attackers are increasingly relying on stolen data, not just locked data, for leverage. - The Double-Edged Sword of Data Theft
Manufacturing now has one of the highest rates of data theft across all surveyed sectors, with 39% of organizations that experienced encryption also reporting stolen data. The most prominent groups targeting the sector, such as GOLD SAHARA (Akira) and GOLD FEATHER (Qilin), routinely employ double extortion, stealing data and encrypting it to maximize pressure. Sophos X-Ops observed 99 distinct threat groups targeting the industry in the last year alone. - The Cost of the Attack
Despite improved defenses, over half (51%) of affected organizations still paid the ransom. The median ransom paid was $1 million, against a median demand of $1.2 million. Excluding the ransom, the average recovery cost remains high at $1.3 million, though this figure did decline by 24% year-over-year. - Expertise and Visibility Remain Critical Gaps
Internal factors fueling the attacks point directly to systemic weaknesses: Lack of Expertise: Cited by 42.5% of organizations. Security Gaps: Cited by 41.6% (unknown security gaps) and 41% (lack of protection).
Alexandra Rose, Director of Threat Research at the Sophos Counter Threat Unit, highlights the operational risks: “Manufacturing depends on interconnected systems where even brief downtime can stop production and ripple across supply chains. Attackers exploit this pressure… Layered defenses, continuous visibility, and well-rehearsed response plans are essential.”
To strengthen defenses for the long term, Sophos recommends manufacturers focus on these best practices:
- Eliminate Root Causes: Proactively address common weaknesses, such as exploited vulnerabilities, using tools like Sophos Managed Risk.
- Defend Every Endpoint: Use dedicated anti-ransomware defenses on all endpoints, especially servers.
- Plan and Prepare: Establish and routinely test a comprehensive incident response plan, including reliable data restoration practices.
- Monitor Around the Clock: Partner with a Managed Detection and Response (MDR) provider for 24/7 continuous visibility and expert threat response.
While the manufacturing sector’s ability to block encryption is a major victory, the evolving threat landscape means a shift in focus is necessary: defense must now equally prioritize preventing data theft to undermine the modern extortion-only business model.
