Sophos recently announced new findings from the Sophos State of Ransomware in Manufacturing and Production 2025 report which reveals that manufacturers are stopping more ransomware attacks before data can be encrypted.
However, adversaries are increasingly stealing data and using extortion-only tactics to maintain pressure. As a result, more than half of manufacturing organizations impacted by encryption paid the ransom despite progress in defensive measures.
Additional findings include:
- Encryption rates are falling, but adversaries are shifting tactics: 40 percent of attacks on manufacturers resulted in data encryption, the lowest level in five years and down from 74 percent last year.
- However, extortion only attacks surged to 10 percent from just three percent in 2024 as attackers increase reliance on data theft for leverage.
- Data theft remains a significant concern: 39 percent of manufacturers that experienced encryption also had data stolen, one of the highest rates across all surveyed sectors.
- More organizations are stopping attacks before encryption: 50 percent of manufacturing organizations stopped the attack before data could be encrypted, more than double last year’s 24 percent.
- Expertise shortfalls and inadequate protection fuel attacks: Lack of expertise was cited by 42.5 percent of organizations. Unknown security gaps were cited by 41.6 percent, and a lack of protection by 41 percent. Respondents identified an average of three internal factors that contributed to the attack.
- 51 percent of affected organizations paid the ransom. The median ransom paid was $1 million dollars, compared to a median demand of $1.2 million dollars.
- Recovery costs and timelines are improving: The average cost to recover from a ransomware attack, excluding ransom payment, declined by 24 percent to $1.3 million dollars. Additionally, 58 percent of manufacturers fully recovered within one week, up from 44 percent last year.
- Ransomware incidents affect IT and security teams: 47 percent of manufacturers reported increased team stress after experiencing data encryption, and 44 percent said pressure from senior leaders increased. Also, 27 percent reported leadership change as a result of the attack.
Several key industry stakeholders also weighed in on the findings.
Neko Papez, Senior Manager, Cybersecurity Strategy at Menlo Security
"The surge in ransomware attacks reflects a critical transformation in the threat landscape and supports industry-wide observations of a shift toward extortion over simple encryption. Despite the evolution in attack objectives, the underlying techniques for obtaining initial access remain largely constant.
"New research from Menlo Security indicates a sharp increase in browser-based attacks: within the last year, browser-based phishing grew by 140 percent, and zero-hour phishing attempts leapt by 130 percent. This data strongly indicates that phishing and abusive cloud hosting services continue to be the most prevalent and effective method for cybercriminals to gain initial access and deliver malware, including ransomware, into an organization's environment.
"The hardest-hit sectors in the current wave of ransomware include manufacturing and technology, with major incidents documented across critical infrastructure as attackers increasingly target these industries to extract sensitive data such as intellectual property and personally identifiable information (PII). These sectors remain especially susceptible due to the financial motivation and business criticality of their operations.
"The reality is that attackers are increasingly leveraging sophisticated techniques, often powered by AI and evasive phish kits, to bypass traditional security controls. Over the last 12 months, Menlo found that 75 percent of phishing links are hosted on seemingly legitimate and trusted websites, making them incredibly difficult for users and legacy security tools to detect.
"This emphasizes that while the end goal may be data extortion or encryption, the browser remains the primary attack surface, and a robust browser security strategy is essential to prevent these highly evasive threats from ever reaching the endpoint."
Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens
"Attack sophistication is on the rise and critical sector organizations, such as manufacturing and OT/ICS, shut down when faced with a cyberattack.
"Unfortunately, cyber leadership are focusing on stopping attacks instead of stopping the proliferation of attacks. We now know that it is not if, but when, the cyberattacks will happen. It’s time for the manufacturing industry to invest in foundational cyber defense capabilities to dynamically change attack paths to limit the impact of any attack."
Shane Barney, CISO at Keeper Security
"Ransomware recovery is rarely straightforward for large enterprises. Manufacturing lines may be able to restart relatively quickly, but restoring finance systems, internal applications and customer services often takes much longer.
"Organizations need complete confidence that systems are clean, credentials are secure and attackers no longer have any type of access. In highly interconnected environments, which are common across the manufacturing sector, that level of certainty requires careful coordination across many teams.
"The companies that tend to recover the fastest are the ones that have already invested in strong identity controls, segmented architectures and tested backups. Those foundations make an enormous difference when every hour matters."
Richard Springer, Senior Director of OT Solutions at Fortinet
"The elevation of risk is due to a heightened focus on industry, particularly manufacturing, by ransomware crime groups who are now monetizing production loss/interruptions in addition to their ransom calculus.
"Geo-political events around the world are also driving critical infrastructure risk awareness as tactical cyber events, or demonstrations, of cyber capabilities by nation-states. Due to events in the past years, regulations, direct and indirect such as the reporting of material cyber events by the SEC, have heightened the importance of security within boardrooms and with executives.
"As seen in our report findings earlier this year, the CISO is most likely to be assigned the role of mitigating manufacturing and OT cyber risk."
Heath Renfrow, Co-Founder and CISO at Fenix24
"For large enterprises — especially manufacturers and companies with complex supply-chain systems — ransomware recovery is almost always measured in months, not weeks. It’s rarely easy, because recovery is not just a technical reboot; it’s a full reconstruction of identity, applications, infrastructure, and business dependencies under pressure.
"Several factors drive the long timelines:
- "Modern enterprises are deeply interconnected. Critical workloads depend on dozens of other systems. Even when manufacturing resumes, back-office platforms — ERP, finance, HR, procurement, authentication — often remain crippled far longer because their dependencies must be rebuilt in sequence.
- "Backups are often not as resilient as assumed. Many organizations discover during an attack that backups were incomplete, unmapped to business services, unverified, quietly failing, or stored inside compromised identity systems. Valid backups may exist but restoring them requires significant effort to reestablish the identity, storage and application stack they rely upon.
- "Forensics, containment, and rebuilds happen simultaneously. Each workstream slows the others. A single open forensic question can pause identity rebuilds, which in turn delays applications and endpoints.
- "Recovery becomes an architectural redesign if fundamentals weren’t in place. If Active Directory is weak, segmentation is absent, or backups aren’t mapped, the organization is forced to redesign those systems mid-crisis — adding weeks or months."
