Sophos has published new figures on ransomware in the manufacturing sector. Although companies have become better at preventing encryption, attackers are resorting to data theft and outright extortion. More than half of the manufacturing companies affected still paid the ransom.
Encryption rates in ransomware attacks on manufacturing companies have fallen sharply. Only 40 percent of attacks resulted in actual encryption, the lowest level in five years and a significant drop from 74 percent last year. However, attackers are compensating for this with a different tactic: extortion without encryption rose from 3 percent in 2024 to 10 percent in 2025. They are increasingly relying on stolen data as a means of pressure.
Data theft remains a major concern for manufacturers. Of the manufacturing companies that experienced encryption, 39 percent also experienced data theft. That is one of the highest percentages compared to other sectors.
Progress has been made in stopping attacks before damage occurs. Half of manufacturing organizations managed to stop the attack before data could be encrypted, more than double last year’s 24 percent. Nevertheless, researchers point to persistent weaknesses. A lack of expertise was cited by 42.5 percent of organizations, unknown security gaps by 41.6 percent, and insufficient protection by 41 percent. Respondents identified an average of 3 internal factors contributing to the attack.
Financial impact remains high
More than half (51 percent) of the affected manufacturing companies with encrypted data paid ransom. The median ransom demand was $1.2 million, while the median payment was $1 million. Recovery costs, excluding ransom, fell by 24 percent to an average of $1.3 million. The pace of recovery also improved: 58 percent of manufacturers recovered completely within a week, compared to 44 percent last year.
The human impact should not be underestimated. Among manufacturing companies that implemented encryption, 47 percent reported increased stress among IT and security teams. 44% experienced increased pressure from senior leaders, and 27% reported leadership changes as a result of the attack.
“Manufacturing depends on interconnected systems where even brief downtime can stop production and ripple across supply chains,” said Alexandra Rose, Director of Threat Research at Sophos Counter Threat Unit. “Attackers exploit this pressure: despite encryption rates falling to 40%, the median ransom paid still reached $1 million.”