Ransomware tactics shift as manufacturing faces data theft surge
The manufacturing and production sector is facing significant shifts in ransomware attack tactics, with a notable decrease in data encryption but a marked rise in extortion-only and data theft attacks, according to new data compiled from incidents over the past year.
Encryption decline
For the first time in five years, only 40% of ransomware attacks on manufacturing firms resulted in data encryption, down sharply from 74% the previous year. This reflects a substantial improvement in organisations' ability to stop cyber intrusions before attackers can encrypt data and disrupt operations.
However, as fewer attempts end in encryption, adversary groups have shifted strategies. Reports indicate that extortion-only attacks, where threat actors demand payment without encrypting files but threaten exposure or sale of stolen data, surged to 10% in the sector. That is more than triple the 3% rate reported the previous year.
Data theft surge
Data theft remains a persistent and significant risk. Of those manufacturing companies that suffered data encryption, 39% also had data stolen. This figure stands among the highest across surveyed industries, underscoring the dual risks of data loss and business disruption facing the sector.
There has also been an increase in attacks where both encryption and data theft are used in tandem. Over half of observed ransomware incidents involved this "double extortion" tactic, where attackers seek multiple avenues for financial leverage against their targets.
Changing threat landscape
Sophos researchers have identified 99 separate ransomware groups targeting manufacturing over the past year. Groups such as GOLD SAHARA (which operates the Akira ransomware), GOLD FEATHER (Qilin), and GOLD ENCORE (PLAY) have been particularly active, according to incident data and monitoring of leak sites.
Despite improvements in the ability to block attacks early, the sector continues to attract significant attention from cybercriminal groups. Internal factors including lack of cybersecurity expertise (cited by 42.5% of respondents), unknown security gaps (41.6%), and insufficient protection (41%) are viewed as key contributors permitting attacks.
Recovery improvements
Recovery metrics across the sector have improved on several fronts. The average cost for an organisation to recover from a ransomware attack, excluding any ransom paid, has decreased by 24% year-on-year to USD $1.3 million. More manufacturers are now able to recover quickly, with 58% reporting full recovery within a week, compared to 44% twelve months earlier.
However, the financial stakes remain high. Among those who did experience encryption, 51% paid a ransom, with the median amount paid reported as USD $1 million. Initial ransom demands had a median value of USD $1.2 million. These payments come in addition to the operational, recovery, and reputational costs of attack incidents.
Organisational impact
Beyond the financial costs, the human impact of ransomware attacks is significant. Nearly half (47%) of manufacturing organisations reported increased stress within IT and security teams after an attack resulted in data encryption. Pressure from senior leaders also intensified in 44% of cases, while 27% saw leadership changes as a direct result of incidents.
Response strategies
"Manufacturing depends on interconnected systems where even brief downtime can stop production and ripple across supply chains. Attackers exploit this pressure: despite encryption rates falling to 40%, the median ransom paid still reached $1 million. While half of manufacturers stopped attacks before encryption, recovery costs average $1.3 million and leadership stress remains high. Layered defenses, continuous visibility, and well-rehearsed response plans are essential to reduce both operational impact and financial risk," said Alexandra Rose, Director of Threat Research, Sophos Counter Threat Unit.