Half of Manufacturers Stop Attacks Before Encryption, Yet Most Still Pay $1m Ransom

Manufacturers are getting better at stopping ransomware attacks before criminals can encrypt data, but attackers are increasingly stealing information to force victims into paying, according to new research by cybersecurity firm Sophos.

The findings, released in the Sophos State of Ransomware in Manufacturing and Production 2025 report, show the sector is experiencing fewer successful encryptions but higher levels of extortion linked to data theft.

The report is based on a survey of 332 manufacturing organizations that were hit by ransomware in the past year.

Sophos found that 40 per cent of attacks resulted in encrypted data, the lowest rate in five years and a sharp drop from 74 per cent last year. At the same time, extortion-only attacks — where criminals steal data but do not encrypt systems — rose to 10 per cent from 3 per cent in 2024, signalling a shift in tactics.

Manufacturers that did face encryption continued to suffer secondary breaches, with 39 per cent reporting theft of their data, one of the highest rates among all surveyed industries. However, half of targeted organizations said they were able to stop attacks before encryption could take place, more than double the 24 per cent reported last year.

The study also highlights the ongoing challenges facing manufacturing businesses, with respondents citing a lack of expertise, unknown security gaps and inadequate protection as key factors contributing to attacks. On average, organizations identified three internal weaknesses that enabled breaches.

Despite improvements in defence and recovery, ransom demands remain high. Just over half of companies whose data was encrypted paid a ransom, with a median payment of $1 million against a median demand of $1.2 million. The average cost of recovery, excluding ransom payments, dropped by 24 per cent to $1.3 million. More organizations — 58 per cent — reported full recovery within a week, compared to 44 per cent last year.

Beyond financial loss, ransomware incidents are affecting working conditions. Sophos notes that 47 per cent of manufacturers reported heightened stress among IT and security teams after experiencing data encryption. Nearly half also reported increased pressure from senior leaders, while over a quarter said leadership changes followed the incident.

“Manufacturing depends on interconnected systems where even brief downtime can stop production and ripple across supply chains,” said Alexandra Rose, Director of Threat Research at Sophos Counter Threat Unit. “Attackers exploit this pressure: despite encryption rates falling to 40 per cent, the median ransom paid still reached $1 million. While half of manufacturers stopped attacks before encryption, recovery costs average $1.3 million and leadership stress remains high.”

“With the rise of data theft and extortion, layered defenses, continuous visibility, and well-rehearsed response plans are essential to reduce both operational impact and financial risk,” she added.

Sophos analysts observed 99 ransomware groups targeting manufacturing in the last 12 months. Groups such as Akira, Qilin and PLAY were among the most active, according to leak site data. In more than half of the incidents Sophos helped remediate, attackers both stole and encrypted data, underscoring the dominance of double extortion tactics.

The company says manufacturers must focus on eliminating vulnerabilities, securing endpoints, practising incident response and maintaining round-the-clock monitoring, particularly where in-house security capability is limited.

Sophos warned that manufacturing’s reliance on interconnected systems, tight production cycles and lean margins makes it particularly vulnerable to disruption — a dynamic that cybercriminals continue to exploit.