Sophos State of Ransomware in Manufacturing 2025

Keypoints

• Typical report structure: Introduction and methodology; Key findings summary; Technical root causes; Organizational/operational root causes; Data outcomes (encryption, exfiltration, extortion); Ransom demands and payments; Business impact (costs, recovery time); Human impact on teams; Recommendations and next steps.
• Introduction and methodology section explains survey scope (332 respondents, 17 countries, organizations with 100–5,000 employees), reporting period (survey in early 2025 covering incidents mostly in 2024), and comparability with prior years.
• Key findings section highlights headline metrics and year‑over‑year changes, providing quick reference statistics for decision makers and comparisons to previous reports.
• Technical root causes: exploited vulnerabilities are the leading cause in manufacturing and production (32%), followed by malicious email (23%) and credential-based attacks (20%), with credential attacks at their lowest level in three years.
• Operational root causes: lack of expertise (42.5%) is the most-cited organizational factor, followed closely by unknown security gaps (41.6%) and lack of protection (41%), signaling persistent people and process deficiencies.
• Data encryption trend: encryption of data in incidents fell to 40%, the lowest rate in five years and down from a 74% peak in 2024, indicating a material shift in how attackers achieve impact or how incidents are detected/responded to.
• Data theft and extortion: 39% of organizations that had data encrypted experienced exfiltration; separately, extortion-only attacks (no encryption but ransom demand) rose sharply to 10% from 3% in 2024, showing attackers increasingly use data-leak threats as leverage.
• Recovery outcomes: 91% of organizations with encrypted data recovered it (noted as the lowest recovery rate reported across sectors in this survey), and backups were used in 58% of restoration cases, underscoring the continued importance of reliable backup practices.
• Ransom demands and payments: median ransom demand dropped 20% year‑over‑year to $1.2M, and median ransom paid fell to $1M; however, the share of the demand actually paid rose to 86% (from 70%).
• Payment behavior breakdown: 37% of victims paid exactly the initial demand, 49% negotiated and paid less, and 13% paid more than the initial ask—showing negotiation outcomes vary and some organizations still meet or exceed demands.
• Business costs and recovery time: average recovery cost for manufacturing and production dropped 24% to $1.3M, and recovery speed improved—58% of organizations recovered within a week in 2025 (up from 44% in 2024).
• Human impact: every organization with encrypted data reported direct repercussions for IT/cyber teams—47% reported increased anxiety/stress, 45% a change in team priorities, 44% increased pressure from senior leaders, 41% increased workload/organizational change, 40% feelings of guilt, 27% leadership replacement, and 20% staff absence due to stress/mental health.
• Recurring themes: (1) technical exploitation (vulnerabilities) remains a dominant attack vector; (2) operational shortfalls—skill gaps, unknown security gaps, and insufficient protections—are major enablers; (3) attackers increasingly rely on extortion and data-leak threats alongside or instead of encryption; (4) resilient backup and recovery practices and faster incident response are improving outcomes but human costs remain high.
• Notable shifts in the global landscape: lower overall encryption rates but higher extortion incidents, reduced median demands/payments yet higher proportion of demands paid, and faster, less costly recoveries—suggest a maturing response capability even as attackers diversify tactics.
• Actionable takeaways: prioritize vulnerability management and patching to address the leading technical cause; invest in staff skills, threat detection, and endpoint/server protections; maintain and regularly test immutable, offline backups; and develop practiced incident response plans or partner with MDR providers to fill capability gaps.
• Recommendations summary: prevention (eliminate technical and operational root causes), protection (dedicated anti‑ransomware and endpoint defenses), detection and response (24/7 monitoring or managed services), and planning/preparation (incident response plans, quality backups, restore testing).
• Strategic implication for manufacturing leaders: balancing investments across people, process, and technology is critical—patching and vulnerability remediation reduce exposure, but addressing workforce and organizational gaps will materially lower ransomware risk and human consequences.