Sophos’ newest annual research explores the real-world ransomware experiences of 332 manufacturing and manufacturing organizations hit by ransomware prior to now yr. The report examines how the causes and penalties of those assaults have advanced over time.
This yr’s version additionally sheds new gentle on beforehand unexplored areas, together with the organizational components that left corporations uncovered and the human toll ransomware takes on IT and cybersecurity groups inside the sector.
Obtain the report back to discover the total findings.
Exploited vulnerabilities and experience shortfalls gas ransomware incidents
Exploited vulnerabilities are the main root reason behind ransomware assaults on manufacturing and manufacturing organizations, chargeable for 32% of incidents. Malicious emails ranked second, with their share declining from 29% in 2024 to 23% in 2025.
A number of organizational components contribute to manufacturing and manufacturing organizations falling sufferer to ransomware, with the most typical being a lack of knowledge (i.e., inadequate abilities or information obtainable to detect and cease the assault in time) named by 42.5% of victims. It’s adopted in very shut succession by unknown safety gaps (i.e., weaknesses in defenses that respondents have been unaware of), which contributed to 41.6% of assaults.
Organizational root reason behind assaults in manufacturing and manufacturing
Information encryption sharply declines however extortion charges soar
Information encryption within the sector has dropped to its lowest stage in 5 years, with 40% of assaults leading to information being encrypted — the third lowest proportion recorded on this yr’s survey and near half the 74% reported by manufacturing and manufacturing organizations in 2024. Consistent with this development, the proportion of assaults stopped earlier than encryption reached a five-year excessive, indicating that manufacturing and manufacturing organizations are strengthening their defenses.
Nevertheless, adversaries are adapting: The proportion of producing and manufacturing organizations hit by extortion-only assaults (the place information wasn’t encrypted however a ransom was nonetheless demanded) surged to 10% of assaults in 2025 from simply 3% in 2024 — the second highest fee reported on this yr’s survey. That is seemingly because of the excessive worth of mental property, complicated provide chains, and the operational impression of downtime in manufacturing environments.
Information encryption in manufacturing and manufacturing | 2021 – 2025
Ransom funds persist whereas reliance on backups maintain regular
Whereas the proportion of producing and manufacturing organizations paying the ransom to recuperate information has declined within the final yr, over half (51%) nonetheless paid — nicely above 2022 (33%) and 2023 (34%) ranges. In the meantime, backup use stays regular at 58% in 2025, reflecting sturdy confidence on this information restoration technique.
Restoration of encrypted information in manufacturing and manufacturing | 2021 – 2025
Ransom calls for, funds and assault restoration prices fall
Ransomware economics in manufacturing and manufacturing shifted in 2025, with common ransom calls for falling 20% to $1.2M (from $1.5M in 2024) and funds dropping from $1.2M to $1.0M. The decline was largely pushed by fewer mid-range ($1M–$5M) calls for and payouts, whereas excessive instances ($5M+) noticed a slight uptick.
On the similar time, the imply value of restoration (excluding any ransoms paid) has dropped practically 1 / 4 (24%) over the previous yr to $1.3M, down from $1.7M in 2024 and under the $1.5M world common on this yr’s report.
Collectively, these findings point out that the sector is changing into extra resilient and environment friendly in its ransomware response however nonetheless faces high-value outliers that skew the general danger panorama.
Ransomware takes a human toll, driving stress and anxiousness amongst IT/cybersecurity groups inside the sector
The survey reveals that ransomware incidents have profound repercussions for IT and cybersecurity groups within the manufacturing and manufacturing sector. Practically half of respondents (47%) reported elevated anxiousness or stress about future assaults, underscoring the lasting psychological impression of such occasions.
Different frequent penalties embody a shift in crew priorities or focus (45%), heightened stress from senior management (44%), and a sustained improve in workload (41%). Notably, the proportion of producing and manufacturing respondents reporting these results was greater than the cross-sector common throughout practically all areas, highlighting the distinctive pressure confronted by groups on this business.
Obtain the total report for extra insights into the human and monetary impacts of ransomware on the retail sector.
What Sophos is seeing within the manufacturing sector
Along with the findings of the report, over the previous twelve months, Sophos X-Ops has noticed ransomware exercise throughout leak websites and located that 99 distinct risk teams focused manufacturing organizations. Essentially the most distinguished teams focusing on manufacturing organizations based mostly on leak website observations are GOLD SAHARA (Akira), GOLD FEATHER (Qilin) and GOLD ENCORE (PLAY). Reflecting the tendencies within the report, over half of the ransomware incidents dealt with by Sophos Emergency Incident Response concerned each information theft and information encryption, underscoring the continued rise of double extortion ways the place stolen information is held to ransom and threatened with publication on a leak website.
Concerning the survey
The report is predicated on the findings of an unbiased, vendor-agnostic survey commissioned by Sophos of three,400 IT/cybersecurity leaders throughout 17 international locations within the Americas, EMEA, and Asia Pacific, together with 332 from the manufacturing and manufacturing sector. All respondents characterize organizations with between 100 and 5,000 workers. The survey was carried out by analysis specialist Vanson Bourne between January and March 2025, and individuals have been requested to reply based mostly on their experiences over the earlier yr.
