A new Sophos report reveals how the ransomware threat landscape for manufacturing and production organizations has evolved over the past year. It explores previously overlooked factors, such as operational vulnerabilities that left these organizations exposed to attacks, as well as the human toll on IT and cybersecurity teams. The report, based on the firsthand experiences of 332 IT and cybersecurity leaders from the manufacturing and production sectors whose organizations were targeted by ransomware in the past year, provides critical insights into why organizations become ransomware targets, what happens to compromised data, ransom demands and payment patterns, the broader business impact, and the human cost of these incidents.
Titled ‘The State of Ransomware in Manufacturing and Production 2025,’ the Sophos report examines why manufacturing and production organizations are increasingly falling victim to ransomware. The report highlights that exploited vulnerabilities were the most common technical root cause, accounting for 32% of incidents, followed by malicious emails in 23% of attacks. Credential-based attacks ranked third, used in 20% of cases, the lowest level recorded in three years.
It also delves into the organizational factors that left manufacturing and production organizations vulnerable to ransomware attacks. The findings show that victims in this sector typically face multiple organizational challenges, with respondents identifying an average of three factors that contributed to the attack. Overall, the root causes are fairly evenly distributed across protection issues, resourcing challenges, and security gaps. However, manufacturing and production organizations are more likely to pinpoint security gaps, both known and unknown, as the primary factor driving their vulnerability.
The report also identifies several operational factors contributing to these ransomware attacks. A lack of expertise was the most prevalent factor, cited by 42.5% of victims. This was closely followed by unknown security gaps and inadequate protection, which were contributing factors in 41.6% and 41% of incidents, respectively.
Every manufacturing and production organization that experienced data encryption reported direct repercussions for its IT and cybersecurity teams. Nearly half (47%) of respondents cited increased anxiety or stress about future attacks as a major impact. Forty-five percent reported a shift in team priorities, while 44% faced heightened pressure from senior leadership. Additionally, 41% noted an increased workload and changes to team or organizational structure, while 40% expressed feelings of guilt for failing to prevent the attack.
In over a quarter of cases (27%), leadership within the team was replaced as a result of the breach. One in five teams (20%) experienced staff absenteeism due to stress or mental health issues triggered by the incident. Across nearly every area, these impacts were notably higher in manufacturing and production compared to the cross-sector average, signaling a worrying trend for the industry.
Sophos highlighted that exploited vulnerabilities are the leading root cause of ransomware attacks on manufacturing and production organizations, responsible for 32% of incidents. Malicious emails ranked second, with their share declining from 29% in 2024 to 23% in 2025. Credential-based attacks continue to pose a significant risk, though reports dropped from 25% in 2024 to 20% in 2025.
The research reveals that while root causes vary by industry, exploited vulnerabilities are a major vector for most sectors. Notable exceptions include phishing was the most common root cause cited by both lower education (22%) and energy, oil/gas, and utilities (29%) providers. Also, compromised credentials were the most perceived attack vector for local/state government organizations, accounting for nearly a third of incidents (32%).
Sophos mentioned a lack of expertise (i.e., insufficient skills or knowledge available to detect and stop the attack in time) is the most common individual reason given, named by 42.5% of manufacturing and production respondents. This is closely followed by unknown security gaps (i.e., weaknesses in defenses that respondents were unaware of), which contributed to 41.6% of attacks. In third place was a lack of protection (i.e., not having the necessary cybersecurity products and services in place), which contributed to 41% of attacks.
The report identified that data encryption in manufacturing and production is at its lowest reported rate in the five years of the study, with only 40% of attacks resulting in data being encrypted, the third lowest percentage recorded in this year’s survey, and nearly half the 74% reported in 2024. Meanwhile, the percentage of ransomware attacks that were stopped before data encryption has more than doubled over the last year, climbing from 24% in 2024 to 50% in 2025. This suggests that manufacturing and production organizations are becoming more effective at halting attacks before they cause serious damage.
Highlighting that adversaries don’t only encrypt data, they also steal it. Sophos disclosed that within the manufacturing and production sector, 15% of ransomware victims and 39% of those that had data encrypted experienced data theft, the second-highest rate reported in this year’s survey. Breaking down the data by industry, the report reveals that 42% of organizations in the IT, technology, and telecoms sectors that experienced data encryption also suffered data theft. In contrast, only 15% of organizations in the construction, property, and energy sectors, typically covering oil, gas, and utilities, faced data theft alongside encryption.
Sophos found that the percentage of manufacturing and production organizations that did not have data encrypted but were held to ransom anyway (extortion) surged to 10% of attacks in 2025 from just 3% in 2024, the second-highest rate reported in this year’s survey. This is likely due to the high value of intellectual property, complex supply chains, and the operational impact of downtime in manufacturing environments. In contrast, both financial service providers and central/federal government organizations reported experiencing the fewest of these attacks, at just 2%.
91% of manufacturing and production organizations that had data encrypted were able to recover it, the lowest rate reported in this year’s survey. In 2025, just over half (51%) of manufacturing and production organizations paid the ransom, down from 62% in 2024. Meanwhile, backup use has remained consistent year over year at 58%. Collectively, these findings point to stronger resistance to demands and confidence in backup resilience.
Ransom payments varied considerably by industry, with state and local government organizations paying the highest average amount to attackers at $2.5 million. This may be due to critical service pressures, limited cyber resilience, and attackers exploiting their urgency to recover quickly. In contrast, healthcare providers were paid the lowest at just $150,000.
“The average recovery cost for manufacturing and production organizations, excluding any ransom payments, has dropped nearly a quarter (24%) over the past year to $1.3 million — below the $1.5 million global average,” Sophos reported. “However, it is $200K higher than the sum reported in 2023.”
Furthermore, the data reveals that, in 2025, manufacturing and production organizations are getting faster at recovering from attacks. 58% recovered within a week, up from 44% reported in 2024. At the same time, the proportion taking one to three months to recover fell sharply to 6%, down from 20% in 2024. Overall, 98% of manufacturing and production victims fully recovered within three months, underscoring growing resilience and recovery capabilities across the sector.
The report added that “Somewhat unsurprisingly, manufacturing and production organizations that had data encrypted typically were slower to recover than those that were able to stop the encryption: 3% that had data encrypted were fully recovered in a day, compared to 22% of those where the adversaries were unsuccessful in encrypting the data.”
The survey makes clear that having data encrypted in a ransomware attack has significant repercussions for IT and cybersecurity teams in manufacturing and production organizations, with all respondents reporting an impact. Worryingly, reports of these impacts in this sector were higher than the cross-sector average across all but two areas.
The Sophos report offers several recommendations for manufacturing and production organizations facing the ongoing threat of ransomware. While these organizations have seen changes in how they encounter ransomware, the threat remains significant. As cyber adversaries continue to refine their tactics, it is essential for defenders and their defenses to evolve in response. By leveraging the insights from this report, organizations can strengthen their defenses, improve their threat response, and mitigate ransomware’s impact on their business and workforce.
To stay ahead of attacks, organizations should focus on four key areas. First, prevention is crucial. The most effective defense against ransomware is preventing an attack altogether by eliminating the technical and operational vulnerabilities identified in the report. Second, protection is essential. Strong foundational security, especially for endpoints like servers, is critical, as these are the primary targets for ransomware actors. Implementing dedicated anti-ransomware protection can stop and roll back malicious encryption.
Third, detection and response play a vital role. The quicker an attack is detected and neutralized, the better the outcome. Around-the-clock threat detection and response are now an indispensable layer of defense. Organizations lacking the necessary resources or expertise should consider partnering with a trusted managed detection and response (MDR) provider. Finally, planning and preparation are key. Having a well-practiced incident response plan in place can significantly improve outcomes if a major attack occurs. Ensuring that quality backups are made and routinely tested for data restoration is critical to accelerating recovery.
