A latest report from Sophos reveals a promising trend in the manufacturing sector's battle against ransomware, with organisations successfully blocking 50% of attacks before data encryption can occur.
However, this progress is counterbalanced by a worrying shift in adversarial tactics, as cybercriminals increasingly resort to extortion without encryption, emphasising a pressing need for robust cybersecurity measures in the region.
The State of Ransomware in Manufacturing and Production 2025 report indicates that only 40% of ransomware incidents in the manufacturing sector resulted in data encryption—a significant decrease from 74% the previous year. Yet, concurrent with this decline, extortion-only attacks surged from 3% to 10%.
Source: The State of Ransomware in Manufacturing and Production 2025, Sophos
This new trend suggests that attackers are now more reliant on data theft to exert pressure on their targets, making the landscape for manufacturers even more precarious.
Data theft remains a predominant concern, as 39% of manufacturers who experienced encryption also reported data theft, ranking among the highest in the surveyed sectors.
Despite the advancements in defensive measures, the report found that 51% of impacted organisations opted to pay the ransom, with the median payment reaching $1 million against a median demand of $1.2 million—indicating a troubling trend towards compliance with cybercriminals.
Alexandra Rose, director of Threat Research at Sophos, highlighted that the interconnected nature of manufacturing systems places immense pressure on organisations, where even brief downtimes can disrupt production and have a ripple effect across supply chains.
“Although encryption rates have fallen, the operational and financial toll remains substantial. Companies must implement layered defenses, ensure continuous visibility, and develop well-structured response plans to mitigate risks effectively," she stated.
Sophos X-Ops has tracked 99 distinct threat groups targeting the manufacturing sector, with GOLD SAHARA (Akira), GOLD FEATHER (Qilin), and GOLD ENCORE (PLAY) emerging as the most prominent. The findings reveal that many attackers employ double-extortion tactics, both encrypting and stealing data to maximise leverage over their victims.
To combat these evolving threats, Sophos urges manufacturing entities to adopt best practices, including proactive risk management, endpoint protection, comprehensive incident response planning, and 24/7 threat monitoring. As ransomware tactics evolve, embracing these strategies will be crucial for organisational resilience in the manufacturing sector.
