A recent study conducted by security researchers at Sophos reveals that the manufacturing sector has made significant strides in defending itself against ransomware attacks. However, the industry is still grappling with an evolving threat: cybercriminals are increasingly focusing on data exfiltration rather than encryption, signaling a shift in the tactics used by these attackers.
The Sophos State of Ransomware in Manufacturing and Production 2025 report shows that manufacturers are becoming more adept at protecting their IT infrastructure from traditional file-encrypting malware. This is a positive development, but cybercriminals are now adopting a more sophisticated approach, concentrating on stealing valuable data instead of locking up entire systems with encryption. This tactic is proving to be more profitable for criminals, as data theft allows them to sell sensitive information on the dark web or use it for other malicious purposes, whereas encryption only provides a one-time ransom payout.
The report highlights that approximately 40% of ransomware attacks on manufacturers involved data encryption, while the remaining 60% were focused on data exfiltration, marking a staggering 74% increase in data theft compared to the previous year. This shift underscores a changing landscape in cybercrime, where data has become a more valuable commodity than the disruption caused by encrypting files.
In the manufacturing sector, downtime can have severe consequences. As most manufacturing systems are interconnected, a brief system outage can lead to production delays, causing ripple effects across the supply chain. Although the rate of data encryption has decreased, the financial impact of these attacks remains unchanged. On average, ransomware demands in the manufacturing sector are still around $1 million, according to Alexandra Rose, Director of Threat Research at Sophos.
The Sophos survey also revealed that nearly half (51%) of ransomware victims in the manufacturing sector chose to pay the ransom, while the rest either resisted or were uncertain about paying the attackers. This statistic reflects the difficult decisions faced by organizations when their critical systems are compromised.
Beyond the financial impact, the study pointed to another significant consequence of ransomware attacks: employee stress. Approximately 47% of affected companies acknowledged that the compromise of their IT infrastructure placed considerable strain on their staff, particularly security teams, who were under immense pressure from senior management to resolve the situation swiftly.
Finally, the survey identified several ransomware groups that have been particularly active in targeting the manufacturing sector this year. Among them, the Play, Qilin, and Akira groups stand out for their frequent attacks and significant financial gains from their malware campaigns.
In conclusion, while the manufacturing sector has made progress in defending against traditional ransomware attacks, it remains vulnerable to the growing trend of data exfiltration. The rise in cybercriminals’ focus on stealing sensitive information instead of encrypting files reflects a broader shift in the threat landscape, one that businesses will need to adapt to in order to mitigate the ever-present risks of cybercrime.
Join our LinkedIn group Information Security Community!
