• Manufacturing experienced a 40% encryption rate, reflecting stronger early detection
• Attackers escalated data theft and extortion to maintain leverage
Dubai, UAE – December 8, 2025 – Sophos, a global leader of innovative security solutions for defeating
cyberattacks, today announced new findings from the Sophos State of Ransomware in Manufacturing
and Production 2025 report. The study reveals that manufacturers are stopping more ransomware
attacks before data can be encrypted; however, adversaries are increasingly stealing data and using
extortion-only tactics to maintain pressure. As a result, more than half of manufacturing organizations
impacted by encryption paid the ransom despite progress in defensive measures. The report is based on
an independent survey of 332 manufacturing organizations that were hit by ransomware in the last
year.
The Sophos State of Ransomware in Manufacturing and Production report found:
• Encryption rates are falling, but adversaries are shifting tactics: 40% of attacks on
manufacturers resulted in data encryption, the lowest level in five years and down from 74% last
year. However, extortion only attacks surged to 10% from just 3% in 2024 as attackers increase
reliance on data theft for leverage.
• Data theft remains a significant concern: 39% of manufacturers that experienced encryption
also had data stolen, one of the highest rates across all surveyed sectors.
• More organizations are stopping attacks before encryption: 50% of manufacturing
organizations stopped the attack before data could be encrypted, more than double last year’s
24%.
• Expertise shortfalls and inadequate protection fuel attacks: Lack of expertise was cited by
42.5% of organizations. Unknown security gaps were cited by 41.6%, and a lack of protection by
41%. Respondents identified an average of three internal factors that contributed to the attack.
• More than half of manufacturers with encrypted data paid the ransom: 51% of affected
organizations paid the ransom. The median ransom paid was $1 million dollars, compared to a
median demand of $1.2 million dollars.
• Recovery costs and timelines are improving: The average cost to recover from a ransomware
attack, excluding ransom payment, declined by 24% to $1.3 million dollars. 58% of
manufacturers fully recovered within one week, up from 44% last year.
• Ransomware incidents affect IT and security teams: 47% of manufacturers reported increased
team stress after experiencing data encryption. 44% said pressure from senior leaders
increased, and 27% reported leadership change as a result of the attack.
“Manufacturing depends on interconnected systems where even brief downtime can stop production
and ripple across supply chains,” said Alexandra Rose, Director of Threat Research, Sophos Counter
Threat Unit. “Attackers exploit this pressure: despite encryption rates falling to 40%, the median ransom
paid still reached $1 million. While half of manufacturers stopped attacks before encryption, recovery
costs average $1.3 million and leadership stress remains high. Layered defenses, continuous visibility,
and well-rehearsed response plans are essential to reduce both operational impact and financial risk.”
What Sophos is Seeing in Manufacturing
Over the past twelve months, Sophos X-Ops has observed ransomware activity across leak sites and
found that 99 distinct threat groups targeted manufacturing organizations. The most prominent groups
targeting manufacturing organizations based on leak site observations are GOLD SAHARA (Akira), GOLD
FEATHER (Qilin) and GOLD ENCORE (PLAY). Reflecting the trends revealed in the report, in over half of
the ransomware incidents that Sophos Emergency Incident Response was brought in to remediate,
attackers both stole and encrypted data, highlighting the use of double extortion tactics where data is
held for ransom and threatened with release on a leak site.
Strengthening Defenses for the Long Term
Based on its experience protecting manufacturing organizations worldwide, Sophos recommends the
following best practices to help businesses stay ahead of ransomware and other cyberthreats:
• Eliminate Root Causes: Take proactive steps to address common technical and operational
weaknesses—such as exploited vulnerabilities—that adversaries frequently target. Solutions
like Sophos Managed Risk can help organizations assess their exposure and reduce risk across
their environments.
• Defend Every Endpoint: Ensure all endpoints, including servers, are protected with dedicated
anti-ransomware defenses to prevent attacks from gaining a foothold.
• Plan and Prepare: Establish and routinely test a comprehensive incident response plan.
Maintain reliable backups and practice data restoration regularly to minimize downtime in the
event of an attack.
• Monitor Around the Clock: Continuous visibility is essential. Organizations without in-house
resources can strengthen their resilience by partnering with a trusted Managed Detection and
Response (MDR) provider for 24/7 threat monitoring and expert response.
Download the Sophos State of Ransomware in Manufacturing and Production 2025 report to learn
more.
About Sophos
Sophos is a cybersecurity leader defending 600,000 organizations globally with an AI-driven platform
and expert-led services. Sophos meets organizations wherever they are in their security maturity and
grows with them to defeat cyberattacks. Its solutions combine machine learning, automation, and real-
time threat intelligence with frontline human expertise from Sophos X-Ops to deliver advanced, 24/7
threat monitoring, detection, and response. Sophos offers industry-leading managed detection and
response (MDR) alongside a comprehensive portfolio of cybersecurity technologies — including
endpoint, network, email, and cloud security, extended detection and response (XDR), identity threat
detection and response (ITDR), and next-gen SIEM. Together with expert advisory services, these
capabilities help organizations proactively reduce risk and respond faster, with the visibility and
scalability needed to stay ahead of evolving threats. Sophos goes to market with a global partner
ecosystem, including Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs),
resellers and distributors, marketplace integrations, and cyber risk partners, giving organizations the
flexibility to choose trusted relationships when securing their business. Sophos is headquartered in
Oxford, U.K. More information is available at www.sophos.com.
# # #
