The latest Sophos State of Ransomware in Manufacturing and Production 2025 report offers a stark paradox for cybersecurity leaders in the sector. On one hand, defensive capabilities are improving faster than ever. On the other, the manufacturing floor has become a high-stakes "testing ground for ransomware hackers," forcing executive teams to wrestle with escalating risk, even when encryption is prevented.
The report, based on an independent survey of 332 IT and cybersecurity leaders whose organizations were hit by ransomware in the past year, signals a critical shift. The days of simply defending against data-scrambling malware are over; the new frontier is pure, strategic extortion driven by stolen data and the unbearable pressure of operational downtime.
Here is what the report reveals and what cybersecurity leaders must do now.
The double-edged sword: resilience vs. extortion
The good news is that manufacturing and production organizations are significantly improving their ability to halt attacks.
-
The percentage of attacks resulting in data encryption plummeted to 40%, the lowest rate in five years, down sharply from 74% in 2024.
-
A major milestone: 50% of attacks were stopped before data encryption occurred.
-
Recovery times are faster: 58% of organizations reported full recovery within one week, up from 44% the year prior.
However, this resilience is immediately undermined by a major strategic shift by adversaries.
-
Extortion-only attacks soar: The proportion of attacks involving data theft and extortion without encryption surged to 10% of incidents (up from just 3% in 2024). This highlights that simply preventing encryption is no longer sufficient to stop the attack lifecycle.
-
Double extortion dominates: For organizations that did suffer encryption, 39% also had their data stolen—one of the highest rates across all surveyed sectors.
-
The ransom dilemma persists: Despite improved defenses, a majority of organizations whose data was encrypted still paid the ransom (51%), demonstrating the immense financial and operational pressure in a sector where downtime is catastrophic. The median ransom paid was $1 million.
The report confirms that attacks are not landing due to unstoppable zero-days, but rather consistent, preventable organizational and technical shortcomings.
The leading technical root cause remains exploited vulnerabilities, cited in 32% of attacks. Crucially, the organizational factors that fuel the attacks point directly to gaps that security leadership is responsible for addressing:
-
Lack of expertise (insufficient skills or knowledge to detect and stop the attack) was cited by 42.5% of victims.
-
Unknown security gaps were cited by 41.6%.
-
Inadequate protection was cited by 41%.
“Manufacturing depends on interconnected systems where even brief downtime can stop production and ripple across supply chains,” said Alexandra Rose, Director of Threat Research, Sophos Counter Threat Unit. “Attackers exploit this pressure: despite encryption rates falling to 40%, the median ransom paid still reached $1 million. While half of manufacturers stopped attacks before encryption, recovery costs average $1.3 million and leadership stress remains high. Layered defenses, continuous visibility, and well-rehearsed response plans are essential to reduce both operational impact and financial risk.”
Implications for security leaders and actionable next steps
For CISOs and their teams in manufacturing, the 2025 data is a clear mandate for change. Security can no longer be seen as an IT function focused on technical controls alone; it must be a business function focused on strategic risk and operational continuity.
1. Shift your defense from encryption to exfiltration
Since attackers are moving to extortion-only tactics and leveraging data theft before the final payload, your primary focus must shift from data recovery to data prevention.
-
Implement Managed Detection and Response (MDR): The high rate of attacks stopped before encryption (50%) suggests that human-led threat hunting is effective. If you lack the in-house resources, partner with an MDR provider for 24/7 continuous visibility to catch attackers dwelling in your systems before they can exfiltrate sensitive IP or customer data.
-
Eliminate root causes proactively: Prioritize security hygiene against the top entry vectors. This means aggressive, swift patching of exploited vulnerabilities and hardening against malicious emails.
2. Address the human toll and resource shortfall
The human impact of these breaches is worryingly high in manufacturing, with 47% of respondents reporting increased anxiety and 44% facing heightened pressure from senior leaders. This is directly linked to the most cited organizational weakness: lack of expertise.
-
Invest in talent or service: Whether through training, hiring, or outsourcing, addressing the 42.5% gap in expertise is the single most critical step to reducing organizational vulnerability.
-
Align leadership expectations: Be transparent with senior leaders about the shift to extortion. Their pressure (44% increase) is a risk factor itself. Ensure they understand that the high median ransom paid is a cost of production downtime, not just a failure of IT, and use this context to advocate for necessary resources.
3. Formalize and drill your incident response plan
The interconnectivity of IT and OT in manufacturing creates uniquely high-pressure recovery scenarios. The average recovery cost is still $1.3 million, even with recovery times improving.
-
Test OT/IT convergence scenarios: Your incident response plan must account for operational technology (OT) systems and supply chain dependencies.
-
Practice data restoration: The report emphasizes the need to regularly practice restoring data from backups to accelerate recovery time. Rehearsing this process is the only way to ensure quick recovery and mitigate the pressure that leads to paying the ransom.
"IT support is a fundamental requirement for operational productivity and system uptime for any industry," wrote Manav Mittal, a seasoned project management expert specializing in automation within the utility, oil, and gas industries, in a December 2025 SecureWorld News blog post. "Manufacturing systems, especially the ones that work with SCADA technology (Supervisory Control and Data Acquisition), IoT devices, and other critical technologies, depend heavily on efficient IT support to ensure that the downtime is minimal, and the performance is optimal. However, when addressing IT issues in manufacturing systems, particularly during production incidents, the challenges still exist."
According to a recent SecureWorld News article. research from Rockwell Automation, "The State of Smart Manufacturing Report: Cybersecurity Findings," reveals a fundamental shift: OT security is no longer a niche issue but a core business priority, and manufacturers are rapidly adopting new strategies to meet this challenge.
Drawing on insights from more than 1,500 manufacturing leaders globally, the report highlights that cybersecurity is now the second most serious external risk for manufacturers, trailing only economic conditions.
