The recently released State of Ransomware in Manufacturing and Production 2025 report shows that companies in the manufacturing sector are now better able to stop ransomware attacks before data is encrypted, compared to previous study results. However, attackers are increasingly relying on the theft of data in order to build pressure for pure blackmail tactics. One of the consequences: More than half of the affected manufacturing companies paid the ransom despite improved defense measures.
The key findings of the Sophos State of Ransomware in Manufacturing and Production reports are:
- Falling encryption rates, but changing attack tactics: 40 percent of attacks on manufacturing companies resulted in data encryption. This is the lowest figure in five years and a decrease from 74 percent last year. At the same time, pure extortion attacks through data theft increased from 3 percent (2024) to 10 percent.
- Data theft remains a key risk: 39 percent of manufacturing companies that suffered ransomware encryption also recorded data theft – one of the highest levels of all industries examined.
- More companies stop attacks before encryption: 50 percent of manufacturing companies prevented data encryption, which is more than twice as many as last year (24 percent).
- A shortage of skilled workers and inadequate protection promote attacks: 42.5 percent of production and manufacturing companies cited a lack of expertise as the cause. Unknown security gaps were cited as the reason by 41.6 percent, and a lack of protective measures by 41 percent. On average, companies identified three internal factors that contributed to the attack.
- More than half of the Manufacturing company paid ransom: 51 percent of the affected companies paid the ransom demanded. The median ransom amount was 861,111 euros, compared to a median demand of 1.03 million euros.
- Recovery becomes cheaper and faster: The average cost of recovering from a ransomware attack – excluding ransoms – fell by 24 percent to 1.12 million euros. 58 percent of manufacturers were fully restored within a week (previous year: 44 percent).
- Ransomware puts strain on IT and security teams: 47 percent of manufacturing companies reported increased team stress after data encryption. 44 percent experience increasing pressure from managers and 27 percent confirmed a change in leadership as a result of the attack.
“The production and manufacturing industry relies heavily on connected systems where even short periods of downtime can halt operations and impact supply chains,” says Michael Veit, security expert at Sophos. “Cybercriminals are taking advantage of this situation. Although the global average encryption rate has fallen to 40 percent, the median ransom paid remained high at 861,111 euros. Multi-layered defense mechanisms, continuous transparency and regularly practiced contingency plans are crucial to reducing operational impact and financial risks.”
Current observations from Sophos X-Ops in the manufacturing industry
Over the past 12 months, Sophos The experts found that… 99 different threat groups are largely responsible for the attacks on manufacturing companies. One of the most prominent groups is GOLD SAHARA (Akira), GOLD FEATHER (Do) and GOLD ENCORE (PLAY). The results of the cases involving the rapid response team Sophos Emergency Incident Response show that more than half of the attacks resulted in data being stolen and encrypted. This is a clear indication that cybercriminals continue to use double-extortion tactics.
What production companies should consider now to be more resilient
Sophos recommends four basic best practices to increase cybersecurity in the organization:
- Eliminate causes: Companies should immediately address technical and operational vulnerabilities – such as exploited security gaps. Solutions like Sophos Managed Risk help you assess your own attack surface and identify and reduce risks.
- Secure all endpoints: All endpoints, including servers, require specialized anti-ransomware features to stop attacks early.
- Planning and preparation: Companies should establish a comprehensive incident response plan and test it regularly. In addition to defensive measures, reliable backups and routine data recovery practice are crucial to minimizing downtime.
- 24/7 monitoring: Continuous visibility is essential. Companies without their own resources benefit from working with a trustworthy Managed Detection and Response (MDR) provider who guarantees 24/7 monitoring and initiates and supports the necessary response by experts.
The full English-language Sophos State of Ransomware in Manufacturing and Production 2025 study is available for download here.
About the study:
The annual, global study is based on an independent survey of 332 manufacturing companies that were affected by ransomware last year.
