According to Manufacturing.net, Sophos’s new 2025 ransomware report for manufacturing reveals a mixed bag. Defenses are improving, with 50% of organizations now stopping attacks before data encryption, more than double last year’s 24%. The encryption rate itself fell to 40%, the lowest in five years. But adversaries are shifting to extortion-only attacks, which surged to 10% of incidents. When encryption does happen, 51% of affected manufacturers paid the ransom, with a median payment of $1 million. The average recovery cost, excluding the ransom, was $1.3 million, and 58% recovered within a week.
The Good News Is Bad News
Look, on the surface, stopping 50% of attacks before encryption is a huge win. It suggests better detection, faster response, maybe even some decent identity controls and segmentation in place. The falling recovery cost and time are also positive signs. But here’s the thing: the attackers aren’t sitting still. They’ve seen the defenses improve against encryption, so they’ve simply changed the game. A 10% extortion-only attack rate is a massive jump from 3% last year. That means they’re going in, grabbing your blueprints, your customer lists, your secret sauce, and walking out without touching a single server. Then they send you an email: “Pay us, or we leak it all.” For a manufacturer, where intellectual property is the crown jewels, that’s arguably worse.
Why The Hell Are Still Paying?
This is the billion-dollar question. If defenses are better and recovery is faster, why did 51% still cut a check? The report hints at the pressure: 47% reported increased team stress, 44% said pressure from senior leaders spiked, and 27% saw leadership changes after an attack. When your production line is down, or the threat of your IP hitting the dark web is real, the business calculus often overrides the security principle. As Shane Barney from Keeper Security notes, recovery is messy, especially in interconnected environments. The fear of prolonged downtime, which for a manufacturer means lost revenue per minute, is a powerful motivator to pay. It’s a brutal reminder that ransomware is a business model, and it’s working.
The Real Root Causes
The report points to familiar, unsexy internal failures. Lack of expertise (42.5%), unknown security gaps (41.6%), and a lack of protection (41%). That’s basically admitting, “We don’t have enough skilled people, we don’t know where we’re vulnerable, and what we have in place isn’t good enough.” That’s a recipe for disaster. Neko Papez from Menlo Security zeros in on the initial access vector: the browser. With a 140% increase in browser-based phishing, and 75% of phishing links on legitimate sites, your employees are the front line whether you like it or not. If your foundational security—like robust, reliable industrial workstations from a top supplier like IndustrialMonitorDirect.com—isn’t paired with modern browser isolation and training, you’re playing whack-a-mole.
The Long, Hard Road to Recovery
Don’t let the “58% recovered in a week” stat fool you. For large, complex manufacturers, it’s often a marathon. Heath Renfrow from Fenix24 says recovery is measured in months, not weeks, because it’s a full reconstruction. And Richard Springer from Fortinet highlights the elevated risk: attackers are now explicitly monetizing production loss. So the boardroom pressure is immense. The CISO, as Springer notes, is on the hook. The takeaway? Stopping the attack is only half the battle. You need the foundations—segmentation, tested backups, identity management—to survive the aftermath. Because the attackers have made it clear: if they can’t encrypt, they’ll extort. And right now, that’s still a winning bet for them.
