Hackers are abandoning traditional file-encrypting ransomware in favour of data theft and extortion as manufacturers strengthen their cyber-defence systems, according to a new report released on Friday by cybersecurity firm Sophos.
Sophos said in its State of Ransomware in Manufacturing and Production 2025 report that only 40 per cent of ransomware attacks on manufacturers resulted in encrypted data this year, the lowest rate in five years and a steep drop from 74 per cent in 2024. But while organisations are stopping more attacks before encryption, attackers are increasingly stealing data to maintain leverage.
Extortion-only attacks surged to 10 per cent from three per cent last year, the report said. Sophos warned that data theft has become a central pressure tactic, with 39 per cent of manufacturers that suffered encryption also reporting data exfiltration, one of the highest rates across all sectors surveyed.
Despite improvements in early detection, more than half of affected manufacturers still paid ransom demands.
Sophos said 51 per cent of organisations that had their data encrypted paid the ransom, with a median payment of $1m, compared with median demands of $1.2m.
Manufacturers, the firm noted, are increasingly intercepting attacks before they cause extensive damage. Fifty per cent of organisations said they stopped the attack before any data could be encrypted, more than double last year’s 24 per cent.
“Manufacturing depends on interconnected systems where even brief downtime can stop production and ripple across supply chains,” said Alexandra Rose, director of threat research at Sophos’ Counter Threat Unit. “Attackers exploit this pressure: despite encryption rates falling to 40 per cent, the median ransom paid still reached $1m.”
The report also showed that expertise shortages and weak security practices continue to expose firms to breaches. About 42 per cent of respondents cited lack of in-house expertise as a contributing factor, while 41 per cent pointed to unknown security gaps and another 41 per cent to inadequate protective measures. On average, manufacturers identified three internal weaknesses that led to attacks.
Sophos said recovery costs are improving, with the average bill, excluding ransom payments, dropping by 24 per cent to $1.3 m. Fifty-eight per cent of organisations recovered within one week of an attack, up from 44 per cent last year. But the pressure on internal teams is rising: 47 per cent reported increased staff stress following an encryption incident, while 27 per cent said the attack contributed to leadership changes.
Sophos X-Ops, the company’s threat intelligence arm, identified 99 ransomware groups targeting manufacturing in the past year. The most active included GOLD SAHARA (Akira), GOLD FEATHER (Qilin), and GOLD ENCORE (PLAY). In over half of the incidents handled by Sophos’ emergency response teams, attackers both stole and encrypted data, a trend that reinforces the growing reliance on double-extortion tactics.
To reduce cyber-risk, Sophos advised manufacturers to address root-cause vulnerabilities, strengthen endpoint protection, test incident-response plans regularly, maintain reliable backups, and adopt round-the-clock monitoring, particularly through managed detection and response providers.