A shift in ransomware tactics: Manufacturing faces new challenges

Sophos, a leader in security solutions, has unveiled new insights from its State of Ransomware in Manufacturing and Production 2025 report. A significant highlight from the findings is the changing landscape of ransomware attacks on the manufacturing sector. While encryption rates have notably decreased, adversaries are choosing alternative tactics, such as data theft and extortion.

The report, based on a survey of 332 manufacturing organisations impacted by ransomware, exposes several concerning trends:

• Decline in Encryption: 40% of attacks resulted in data encryption, the lowest in five years, compared to 74% previously. However, extortion-only attacks, predicated on stolen data, rose to 10% from 3% in the prior year.
• Persistent Data Theft: Among manufacturers experiencing encryption, 39% also suffered data theft, marking a high incidence across surveyed sectors.
• Improved Deterrent Capabilities: An encouraging 50% of manufacturing entities thwarted attacks before encryption occurred, up from 24% last year.
• Skills and Protection Gaps: Lack of expertise and unrecognised security weaknesses contribute significantly to vulnerabilities, as identified by 42.5% and 41.6% of organisations respectively.
• Ransom Payments Remain High: Despite progress, 51% of impacted firms succumbed to paying the ransom, with a median payment of $1 million.
• Quicker Recoveries: Recovery costs have reduced, averaging $1.3 million, with 58% of organisations recovering fully within a week—up from 44%.
• Impact on Teams: Post-incident, 47% reported heightened stress within IT and security teams, while 44% faced increased leadership pressure.

Alexandra Rose, Director of Threat Research at Sophos Counter Threat Unit, emphasises the pressure the industry faces, highlighting the dependency on interconnected systems where even minor downtimes pose substantial supply chain risks.

Further investigations by Sophos X-Ops highlight notable ransomware activities from distinct threat groups like GOLD SAHARA, GOLD FEATHER, and GOLD ENCORE. These groups are increasingly employing double extortion tactics, both encrypting and stealing data, to hold organisations ransom with threats of data leaks.

Sophos recommends robust preventive measures to combat evolving cyber threats:

• Address Root Causes: Proactively resolve technical and operational flaws that adversaries often exploit.
• End-to-End Endpoint Protection: Every server and endpoint must have tailored anti-ransomware defences.
• Actionable Incident Response Plans: Regularly test and refine incident response strategies. Maintain consistent data backups to ease restoration and reduce downtime.
• Continuous Monitoring: Implement round-the-clock monitoring, potentially through a managed detection and response provider, strengthening overall threat detection and response.