A significant shift is underway in the cyber threat landscape for India's manufacturing sector. While companies are getting better at preventing ransomware from locking their data, cybercriminals are adapting with alarming new tactics focused on stealing and threatening to leak sensitive information, according to a new industry report.
Defensive Gains Against Encryption
The latest study from cybersecurity firm Sophos delivers a mixed picture. On one hand, it shows manufacturers have made remarkable progress in halting ransomware before it can encrypt files. The report, which surveyed 332 manufacturing organisations globally that were hit by ransomware in the past year, found that half (50%) successfully stopped attacks before encryption. This is a dramatic improvement, more than double the success rate of 24% recorded the previous year.
As a direct result, the percentage of attacks that actually resulted in data encryption plummeted to just 40%. This is the lowest level seen in five years and represents a sharp fall from 74% in the previous period. This indicates that defensive measures within the sector are having a tangible impact on a key stage of the attack chain.
The Rise of Extortion-Only Attacks
However, this defensive victory comes with a major caveat. Cybercriminals are not retreating; they are simply changing their playbook. Extortion-only attacks, where data is stolen and threatened with public release but not encrypted, surged to 10% of incidents, up from a mere 3% in 2024. This pivot allows attackers to maintain leverage over victims even when their encryption payloads are blocked.
Data theft remains a severe concern, affecting 39% of manufacturers who experienced encryption—one of the highest rates across all sectors surveyed. The human and organisational toll is also evident. The report found that 47% of manufacturers reported increased team stress following incidents, while 44% faced heightened pressure from senior leadership. In 27% of cases, the attacks even resulted in leadership changes.
High Costs and Persistent Vulnerabilities
Despite the improved ability to block encryption, the financial impact remains staggering. 51% of affected organisations still ended up paying a ransom. The median payment was a hefty $1 million, even though the average initial demand was around $1.2 million.
On a positive note, recovery metrics showed improvement. 58% of manufacturers fully recovered within one week, a rise from 44% previously. The average cost to recover from an attack (excluding any ransom paid) also declined by 24% to $1.3 million.
Nevertheless, internal vulnerabilities continue to plague the industry. Key challenges cited by respondents include:
- Lack of internal expertise (42.5%)
- Unknown security gaps (41.6%)
- Inadequate protection (41%)
Sophos X-Ops identified Akira, Qilin, and PLAY as the most active ransomware groups targeting manufacturing over the past year. In total, a staggering 99 distinct threat groups were observed on leak sites related to the sector, highlighting the vast and varied nature of the threat.
The findings underscore a critical evolution in the cyber battle. For Indian manufacturers, building defences must now extend beyond preventing encryption to aggressively protecting data from theft, as pure extortion becomes a weapon of choice for persistent attackers.
