Retailers hit by ransomware face higher USD $2 million demands

More than half of retail organisations affected by ransomware attacks have opted to pay ransoms, according to new findings from Sophos' latest annual State of Ransomware in Retail report.

The study, representing a survey of 361 retail IT and cybersecurity leaders across 16 countries, revealed that 58% of retail organisations whose data was encrypted by attackers chose to pay the demanded ransom. This is the second highest payment rate recorded in the last five years.

Rising financial impact

The financial demands on retail organisations are rising sharply. The median ransom demand faced by retailers has doubled to USD $2 million when compared to 2024 figures, while the average payment has increased by 5% to USD $1 million.

Despite the increase in ransom demands, the average payment made by retailers is only half of what is being demanded. While this suggests a degree of resistance to inflated demands, the proportion of victims who pay remains significant.

Underlying causes of incidents

Sophos' research highlighted that 46% of ransomware incidents in the sector began with unknown security gaps-areas of vulnerability in IT systems that organisations were unaware of. This operational factor highlights the visibility challenges that retailers face in securing their technology environments.

Known vulnerabilities were exploited in 30% of cases, making this the top technical root cause of ransomware incidents for the third consecutive year. The combination of unknown and known security gaps underscores the broad range of attack vectors available to cybercriminals.

"Retailers globally are facing a more complex threat landscape where adversaries are constantly on the lookout for and exploiting existing vulnerabilities, most frequently in remote access and internet facing networking equipment. Now, with ransom demands reaching new highs, the need to implement comprehensive security strategies is even more apparent. Without this, retailers risk ongoing operational disruption and lasting reputational damage that could take years to repair. Encouragingly, many are beginning to recognize this and respond by investing in their cyber defenses, enabling them to stop attacks before they escalate and recover faster," says Chester Wisniewski, director, global field CISO, Sophos.

Changing tactics and outcomes

Attackers' methods are evolving. While 48% of attacks resulted in data encryption-a five-year low-the proportion of retailers hit by extortion-only attacks tripled from 2% in 2023 to 6% in 2025. This indicates a shift towards threatening to leak sensitive data, in place of or in addition to encrypting it. In addition, nearly 90 distinct threat groups targeted retailers, including groups such as Akira, Cl0p, Qilin, PLAY, and Lynx.

Backup usage rates among retailers have declined, with 62% of those affected restoring their data from backups, the lowest in four years.

Operational pressures and progress

Limited in-house expertise was cited as the second most common factor enabling compromise in the sector, affecting 45% of respondents, followed by gaps in protection coverage (44%). These operational weaknesses, in conjunction with technical vulnerabilities, indicate areas for improvement in organisational cyber resilience.

The study also found that almost half (47%) of retail IT and cybersecurity teams reported increased pressure following incidents of data encryption, and in 26% of cases, leadership teams were replaced in the aftermath of an attack.

Despite these challenges, there are positive signs. The increase in attacks stopped before encryption suggests more retailers are identifying and neutralising threats earlier. Recovery costs, excluding any ransom payment, have decreased by 40% over the past year, now averaging USD $1.65 million - their lowest level in three years.

Retail response to ransom demands

Among retailers that opted to pay a ransom, only 29% agreed to the initial demand. A significant majority (59%) negotiated and paid less than first requested, while 11% ended up paying more. The resistance to initial demands and the pursuit of specialist advice in negotiating with attackers may be influencing these trends.

Chester Wisniewski commented on effective security approaches for the sector:

"In the end, successful security programs are focused on risk management. To assess and manage those risks, retailers must have visibility into the threats they face as well as their assets and their security posture. Organisations that combine strong asset management and patching with Managed Detection and Response services and managed risk services prevent more and recover faster, taking a proactive approach in their cyber defenses."

Customer perspective

Luca Bordegnoni, Head of Information Systems at Rossetto Group, provided a customer opinion on the landscape:

"Retailers are increasingly under threat from cyberattacks. In a challenging economic climate, down time can be terminal for a business. We have to make sure we are equipped to protect ourselves against a tricky and changing adversary."

Recommendations for retailers

Sophos offered a series of best practices in response to the findings. These include addressing both technical and operational weaknesses, ensuring endpoint protection with anti-ransomware solutions, planning and regularly testing incident response and data restoration capabilities, and maintaining continuous monitoring, potentially with the assistance of a Managed Detection and Response provider.

The findings of the report are based on a vendor-agnostic survey conducted from January to March 2025. All organisations surveyed had experienced at least one ransomware incident in the previous 12 months.