Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution
Introducing Sophos DNS Protection for Endpoints
PRODUCTS & SERVICES
The State of Ransomware in Manufacturing and Production 2025
332 IT and cybersecurity leaders reveal the ransomware realities for manufacturing and production organizations today. Written by Rajan Sanhotra Products & Services Manufacturing PRODUCTS & SERVICES Ransomware Solutions The State of Ransomware
Sophos’ latest annual study explores the real-world ransomware experiences of 332 manufacturing and production organizations hit by ransomware in the past year. The report examines how the causes and consequences of these attacks have evolved over time.
This year’s edition also sheds new light on previously unexplored areas, including the organizational factors that left firms exposed and the human toll ransomware takes on IT and cybersecurity teams within the sector.
Download the report to explore the full findings.
Exploited vulnerabilities and expertise shortfalls fuel ransomware incidents
Exploited vulnerabilities are the leading root cause of ransomware attacks on manufacturing and production organizations, responsible for 32% of incidents. Malicious emails ranked second, with their share declining from 29% in 2024 to 23% in 2025.
Multiple organizational factors contribute to manufacturing and production organizations falling victim to ransomware, with the most common being a lack of expertise (i.e., insufficient skills or knowledge available to detect and stop the attack in time) named by 42.5% of victims. It is followed in very close succession by unknown security gaps (i.e., weaknesses in defenses that respondents were unaware of), which contributed to 41.6% of attacks.
Organizational root cause of attacks in manufacturing and production
Data encryption sharply declines but extortion rates soar
Data encryption in the sector has dropped to its lowest level in five years, with 40% of attacks resulting in data being encrypted — the third lowest percentage recorded in this year’s survey and close to half the 74% reported by manufacturing and production organizations in 2024. In line with this trend, the percentage of attacks stopped before encryption reached a five-year high, indicating that manufacturing and production organizations are strengthening their defenses.
However, adversaries are adapting: The proportion of manufacturing and production organizations hit by extortion-only attacks (where data wasn’t encrypted but a ransom was still demanded) surged to 10% of attacks in 2025 from just 3% in 2024 — the second highest rate reported in this year’s survey. This is likely due to the high value of intellectual property, complex supply chains, and the operational impact of downtime in manufacturing environments.
Data encryption in manufacturing and production | 2021 – 2025
Ransom payments persist while reliance on backups hold steady
While the proportion of manufacturing and production organizations paying the ransom to recover data has declined in the last year, over half (51%) still paid — well above 2022 (33%) and 2023 (34%) levels. Meanwhile, backup use remains steady at 58% in 2025, reflecting strong confidence in this data recovery method.
Recovery of encrypted data in manufacturing and production | 2021 – 2025
Ransom demands, payments and attack recovery costs fall
Ransomware economics in manufacturing and production shifted in 2025, with average ransom demands falling 20% to
Vezi resurse educaționale aici
Download the full report for more insights into the human and financial impacts of ransomware on the retail sector.
What Sophos is seeing in the manufacturing sector
In addition to the findings of the report, over the past twelve months, Sophos X-Ops has observed ransomware activity across leak sites and found that 99 distinct threat groups targeted manufacturing organizations. The most prominent groups targeting manufacturing organizations based on leak site observations are GOLD SAHARA (Akira), GOLD FEATHER (Qilin) and GOLD ENCORE (PLAY). Reflecting the trends in the report, over half of the ransomware incidents handled by Sophos Emergency Incident Response involved both data theft and data encryption, underscoring the continued rise of double extortion tactics where stolen data is held to ransom and threatened with publication on a leak site.
About the survey
The report is based on the findings of an independent, vendor-agnostic survey commissioned by Sophos of 3,400 IT/cybersecurity leaders across 17 countries in the Americas, EMEA, and Asia Pacific, including 332 from the manufacturing and production sector. All respondents represent organizations with between 100 and 5,000 employees. The survey was conducted by research specialist Vanson Bourne between January and March 2025, and participants were asked to respond based on their experiences over the previous year.
