Terry KS Sophos’ latest ransomware report reveals that manufacturing firms are blocking more encryption attempts, but cybercriminals are increasingly turning to data theft and extortion-only attacks. Despite better defenses, over half of affected organizations still paid ransom, with median payments reaching US$1 million.
MALAYSIA, 11 DECEMBER 2025 – Sophos has released new findings from its State of Ransomware in Manufacturing and Production 2025 report, highlighting a major shift in ransomware tactics targeting the manufacturing sector. While encryption rates have dropped significantly, cybercriminals are escalating data theft and extortion-only attacks to pressure victims. The study surveyed 332 manufacturing organizations hit by ransomware over the past year.
The report shows encryption rates have fallen to 40%, the lowest in five years and a steep decline from 74% in 2024. However, extortion-only attacks—where data is stolen but not encrypted—have climbed sharply to 10%, up from just 3% last year. Data theft continues to pose a serious threat, with 39% of manufacturers experiencing both encryption and data exfiltration during attacks.
More organizations are successfully stopping attacks before encryption occurs, with 50% reporting they intercepted attacks early—more than double the 24% reported last year. Despite improvements, internal challenges persist: lack of expertise (42.5%), unknown security gaps (41.6%), and inadequate protection (41%) were identified as major contributors to successful attacks. Respondents cited an average of three internal factors that contributed to their incidents.
Financial and operational impacts remain severe. Among manufacturers whose data was encrypted, 51% paid the ransom, with a median payment of US$1 million compared to the median demand of US$1.2 million. Recovery costs, excluding ransom payments, fell by 24% to US$1.3 million. Recovery timelines have also improved, with 58% of organizations returning to full operation within a week.
Beyond financial loss, ransomware attacks have caused significant strain on internal teams. Nearly half of respondents (47%) reported heightened stress among IT and security teams, while 44% saw increased pressure from senior leadership. Notably, 27% of organizations experienced leadership changes following an attack.
Sophos X-Ops observed active targeting of manufacturing organizations by 99 distinct ransomware groups over the past year. The most prominent among them were GOLD SAHARA (Akira), GOLD FEATHER (Qilin), and GOLD ENCORE (PLAY). In more than half of emergency incident response cases handled by Sophos, attackers not only encrypted data but also stole it, underscoring the rise of double-extortion tactics.
To combat these evolving threats, Sophos recommends deepening defensive strategies across manufacturing environments. This includes eliminating root causes such as exploited vulnerabilities, strengthening endpoint defenses, maintaining and testing incident response plans, and ensuring continuous 24/7 monitoring—especially through Managed Detection and Response (MDR) services for organizations lacking in-house expertise.