Sophos has reported a marked shift in the way cybercriminals target the manufacturing sector, with firms blocking more ransomware attempts even as attackers intensify data-theft-led extortion.
In its State of Ransomware in Manufacturing and Production 2025 report, published this week in Oxford, the cybersecurity group said only 40% of ransomware attacks on manufacturers resulted in data being encrypted, down sharply from 74% a year earlier. Sophos attributed the drop to earlier detection and improved defensive tools.
Yet the decline in encryption has coincided with a rise in extortion-only attacks. 10% of incidents involved no encryption at all, up from 3% last year, as adversaries relied instead on stealing information to pressure victims. Data theft accompanied 39% of attacks that did lead to encryption, one of the highest rates across any sector surveyed.
Half of the 332 manufacturing companies surveyed said they stopped attacks before encryption could take place, compared with 24% last year, suggesting significant progress in early-stage disruption. Even so, 51% of firms whose systems were encrypted paid a ransom. The median ransom payment was one million US dollars, against a median demand of 1.2 million dollars.
The average cost of recovery, excluding any ransom, fell by 24% to 1.3 million dollars. Fifty-eight% of manufacturers said they fully restored operations within a week, an improvement on 44% last year. But the operational and organisational impact remained acute: 47% of respondents reported heightened stress within IT and Security teams, 44% cited increased pressure from senior management, and 27% said the incident contributed to leadership changes.
Alexandra Rose, Director of Threat Research at the Sophos Counter Threat Unit, said manufacturing’s reliance on tightly integrated systems left little room for disruption. “Even brief downtime can halt production and ripple across supply chains,” she said. “Attackers exploit this pressure: despite encryption rates falling to 40%, the median ransom still reached one million dollars. Layered defences, continuous visibility, and well-rehearsed response plans are essential to reduce operational impact and financial risk.”
Sophos X-Ops observed 99 distinct ransomware groups targeting manufacturers over the past year. Akira, Qilin, and PLAY were among the most active groups, often using double-extortion tactics in which data is both stolen and encrypted to maximise leverage.
The company urged manufacturers to strengthen long-term resilience by addressing root-cause vulnerabilities, ensuring all endpoints are protected, routinely testing incident-response plans, maintaining reliable backups, and monitoring networks continuously, including through Managed Detection and Response services where internal resources are limited.
Sophos, headquartered in Oxford, provides cybersecurity tools and services to more than 600,000 organisations worldwide through an AI-driven platform and a global partner network.
