99 ransomware groups target manufacturing in 2025 – Report

The manufacturing and production sector faced an unprecedented wave of cyberattacks in 2025, with 99 distinct ransomware groups targeting organisations globally, according to the newly released Sophos State of Ransomware in Manufacturing and Production 2025 report.

The findings of the report showed that while manufacturers are successfully stopping more attacks before data is encrypted, cybercriminals are rapidly shifting to data theft and extortion-only tactics to retain leverage over victims.

Sophos, a global cybersecurity leader, revealed that only 40 percent of ransomware attacks on manufacturing resulted in data encryption this year, the lowest rate in five years and a sharp decline from 74 percent in 2024.

This improvement is credited to stronger early detection, increased endpoint protection and more organisations adopting layered defences. Half of the surveyed manufacturers said they were able to stop an attack before encryption, more than double the 24 percent recorded last year.

Read also: New Rubrik–Sophos deal targets ransomware, data loss in M365

However, the report warns that attackers are adapting. As encryption becomes harder to achieve, cybercriminals are increasingly relying on data theft as their primary weapon. Extortion-only attacks, where data is stolen but not encrypted, surged to 10 percent, up from just three percent in 2024.

Additionally, 39 percent of organisations that experienced encryption also had sensitive data stolen, reflecting the rise of double-extortion techniques in the sector. The shift in tactics is being driven by some of the most aggressive ransomware groups.

According to Sophos X-Ops’ monitoring of leak sites, the most active groups targeting manufacturing were GOLD SAHARA (Akira), GOLD FEATHER (Qilin), and GOLD ENCORE (PLAY). These groups, along with dozens of others, were responsible for widespread data breaches, operational disruption, and rising financial losses across the global manufacturing landscape.

Despite improved detection, the financial and operational toll of ransomware remains significant. More than half (51 percent) of manufacturers whose data was encrypted still opted to pay the ransom, with a median payment of $1 million.

Although recovery costs (excluding ransoms) dropped by 24 percent to $1.3 million, the human impact remains high. Nearly half of IT and security teams surveyed reported elevated stress levels after an attack, while 27 percent said the incident led to leadership changes.

“Manufacturing depends on interconnected systems where even brief downtime can halt production and ripple across supply chains. Attackers exploit this pressure: even though encryption rates are falling, extortion and data theft continue to drive high ransom payments,” said Alexandra Rose, director of threat research at the Sophos Counter Threat Unit.

Read also: Ransomware demands plunge 73% in schools but human toll escalates

The report also highlights persistent internal challenges. Lack of cybersecurity expertise (42.5 percent), unknown security gaps (41.6 percent), and inadequate protection (41 percent) were identified as critical factors contributing to ransomware incidents. On average, each victim organisation cited three internal weaknesses that enabled the breach.

To counter the rising threat, Sophos recommends that manufacturers strengthen cybersecurity fundamentals, eliminate root causes like unpatched vulnerabilities, defend all endpoints with anti-ransomware tools, maintain tested incident response plans, and invest in 24/7 monitoring through Managed Detection and Response (MDR) services.

With 99 ransomware groups actively targeting the sector in 2025, Sophos warns that manufacturing organisations must remain vigilant, as adversaries continue to innovate and escalate their tactics in pursuit of financial gain.

Royal Ibeh is a senior journalist with years of experience reporting on Nigeria’s technology and health sectors. She currently covers the Technology and Health beats for BusinessDay newspaper, where she writes in-depth stories on digital innovation, telecom infrastructure, healthcare systems, and public health policies.

Join BusinessDay whatsapp Channel, to stay up to date