- Manufacturing experienced a 40% encryption rate, reflecting stronger early detection

- Attackers escalated data theft and extortion to maintain leverage

- Sophos X-Ops reported Akira, Qilin and PLAY among the most prominent ransomware groups targeting manufacturing

 

OXFORD, U.K. — 十二月 3, 2025 —

Sophos, a global leader of innovative security solutions for defeating cyberattacks, today announced new findings from the Sophos State of Ransomware in Manufacturing and Production 2025 report. The study reveals that manufacturers are stopping more ransomware attacks before data can be encrypted; however, adversaries are increasingly stealing data and using extortion-only tactics to maintain pressure. As a result, more than half of manufacturing organizations impacted by encryption paid the ransom despite progress in defensive measures. The report is based on an independent survey of 332 manufacturing organizations that were hit by ransomware in the last year.

The Sophos State of Ransomware in Manufacturing and Production report found:

  • Encryption rates are falling, but adversaries are shifting tactics: 40% of attacks on manufacturers resulted in data encryption, the lowest level in five years and down from 74% last year. However, extortion only attacks surged to 10% from just 3% in 2024 as attackers increase reliance on data theft for leverage.
  • Data theft remains a significant concern: 39% of manufacturers that experienced encryption also had data stolen, one of the highest rates across all surveyed sectors.
  • More organizations are stopping attacks before encryption: 50% of manufacturing organizations stopped the attack before data could be encrypted, more than double last year’s 24%.
  • Expertise shortfalls and inadequate protection fuel attacks: Lack of expertise was cited by 42.5% of organizations. Unknown security gaps were cited by 41.6%, and a lack of protection by 41%. Respondents identified an average of three internal factors that contributed to the attack.
  • More than half of manufacturers with encrypted data paid the ransom: 51% of affected organizations paid the ransom. The median ransom paid was $1 million dollars, compared to a median demand of $1.2 million dollars.
  • Recovery costs and timelines are improving: The average cost to recover from a ransomware attack, excluding ransom payment, declined by 24% to $1.3 million dollars. 58% of manufacturers fully recovered within one week, up from 44% last year.
  • Ransomware incidents affect IT and security teams: 47% of manufacturers reported increased team stress after experiencing data encryption. 44% said pressure from senior leaders increased, and 27% reported leadership change as a result of the attack.

“Manufacturing depends on interconnected systems where even brief downtime can stop production and ripple across supply chains,” said Alexandra Rose, Director of Threat Research, Sophos Counter Threat Unit. “Attackers exploit this pressure: despite encryption rates falling to 40%, the median ransom paid still reached $1 million. While half of manufacturers stopped attacks before encryption, recovery costs average $1.3 million and leadership stress remains high. Layered defenses, continuous visibility, and well-rehearsed response plans are essential to reduce both operational impact and financial risk.”

What Sophos is Seeing in Manufacturing

Over the past twelve months, Sophos X-Ops has observed ransomware activity across leak sites and found that 99 distinct threat groups targeted manufacturing organizations. The most prominent groups targeting manufacturing organizations based on leak site observations are GOLD SAHARA (Akira), GOLD FEATHER (Qilin) and GOLD ENCORE (PLAY). Reflecting the trends revealed in the report, in over half of the ransomware incidents that Sophos Emergency Incident Response was brought in to remediate, attackers both stole and encrypted data, highlighting the use of double extortion tactics where data is held for ransom and threatened with release on a leak site.

Strengthening Defenses for the Long Term

Based on its experience protecting manufacturing organizations worldwide, Sophos recommends the following best practices to help businesses stay ahead of ransomware and other cyberthreats:

  • Eliminate Root Causes: Take proactive steps to address common technical and operational weaknesses—such as exploited vulnerabilities—that adversaries frequently target. Solutions like Sophos Managed Risk can help organizations assess their exposure and reduce risk across their environments.
  • Defend Every Endpoint: Ensure all endpoints, including servers, are protected with dedicated anti-ransomware defenses to prevent attacks from gaining a foothold.
  • Plan and Prepare: Establish and routinely test a comprehensive incident response plan. Maintain reliable backups and practice data restoration regularly to minimize downtime in the event of an attack.
  • Monitor Around the Clock: Continuous visibility is essential. Organizations without in-house resources can strengthen their resilience by partnering with a trusted Managed Detection and Response (MDR) provider for 24/7 threat monitoring and expert response.

Download the Sophos State of Ransomware in Manufacturing and Production 2025 report to learn more.

关于 Sophos

Sophos 是全球领先的网络安全公司,凭借其人工智能驱动的平台和专家主导的服务,保护着全球 60 万家组织的安全。Sophos 根据各组织在不同安全成熟度的各式各样的需求提供支持,并与其共同成长,携手应对日益严峻的网络攻击。其解决方案结合机器学习、自动化、实时威胁情报以及来自 Sophos X-Ops 的前线真人专家的专业知识,提供 24/7 全天候高级威胁监控、侦测与响应服务。
Sophos 提供行业领先的托管式侦测与响应 (MDR) 服务,同时配备一整套全面的网络安全技术组合,包括端点、网络、电子邮件和云安全、扩展式侦测与响应 (XDR)、身份辨识威胁侦测与响应 (ITDR),以及下一代 SIEM。结合专家咨询服务,这些能力帮助组织主动降低风险,并更迅速地响应,提供力求在不断变化的威胁面前保持领先所需的可见性和可扩展性。
Sophos 通过全球合作伙伴生态系统进入市场,包括托管式服务提供商 (MSPs)、托管式安全服务提供商 (MSSPs)、经销商、分销商、市场集成商以及网络风险合作伙伴,为组织提供灵活的选择,使其能够在保护业务安全的同时建立值得信赖的合作关系。  Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.cn。