Joy Agwunobi
A growing number of retail organisations worldwide are falling prey to ransomware attacks, with more than half choosing to pay ransom demands to regain access to their data, according to a new report by Sophos, a global cybersecurity firm.
The report, titled State of Ransomware in Retail 2025, marks Sophos’s fifth annual study on ransomware trends within the retail sector. It draws insights from a vendor-agnostic survey of IT and cybersecurity leaders across 16 countries, providing a detailed look into how retail businesses are faring in the face of evolving cyber threats.
This year’s findings paint a mixed picture, while there are signs of progress in the industry’s response to attacks, the sector continues to grapple with rising ransom demands, payment pressures, and persistent visibility gaps across digital infrastructure.
According to the report, 46 percent of retail ransomware incidents were traced to unknown security gaps, highlighting persistent challenges in visibility and asset management. Another 30 percent of the attacks exploited known vulnerabilities, making it the leading technical root cause for the third consecutive year.
Despite growing awareness and improved defense mechanisms, Sophos found that 58 percent of retail organisations that suffered data encryption paid the ransom to retrieve their data, representing the second-highest payment rate in five years. The median ransom demand also doubled from 2024 levels to reach $2 million, while the average payment increased slightly by 5 percent to $1 million.
The Sophos X-Ops division observed that nearly 90 distinct ransomware or extortion groups targeted at least one retailer over the past year, reflecting the growing diversity and aggressiveness of threat actors. Among the most active groups were Akira, Cl0p, Qilin, PLAY, and Lynx.
Beyond ransomware, retailers also faced significant risks from account compromise and business email compromise (BEC) schemes. BEC attacks, which typically aim to divert legitimate payments, emerged as the third most common type of cyber incident against retail organisations.
“Retailers globally are facing a more complex threat landscape where adversaries are constantly on the lookout for and exploiting existing vulnerabilities, most frequently in remote access and internet-facing networking equipment,” said Chester Wisniewski, director and global field CISO at Sophos.
He warned that the escalating ransom demands and the persistence of these threats make it increasingly vital for retailers to adopt comprehensive, layered security strategies. “Without this, retailers risk ongoing operational disruption and lasting reputational damage that could take years to repair. Encouragingly, many are beginning to recognise this and respond by investing in their cyber defenses, enabling them to stop attacks before they escalate and recover faster,” Wisniewski added.
The report also revealed internal weaknesses within retail security teams. Limited in-house expertise was cited as the second-most common operational factor behind compromises, affecting 45 percent of respondents, while gaps in protection coverage followed closely at 44 percent.
According to Sophos, these shortcomings make it difficult for organisations to detect and neutralize attacks early enough to prevent data encryption or extortion. Nevertheless, the industry appears to be making headway in mitigation efforts.
The percentage of ransomware attacks stopped before data encryption reached its highest level in five years, suggesting improved detection and rapid response capabilities. Correspondingly, only 48 percent of attacks resulted in data encryption, marking a five-year low.
Although ransom payments are rising modestly, Sophos noted that the average amount paid is only half of what attackers initially demanded. This could indicate that more retailers are negotiating or seeking expert guidance to manage ransom situations more effectively.
The report also observed a shift in attacker behaviour. While the overall data encryption rate has fallen, the share of extortion-only attacks—where data is stolen but not encrypted has tripled in two years, rising from 2 percent in 2023 to 6 percent in 2025.
Another concerning trend is the decline in backup recovery. Only 62 percent of retailers that experienced ransomware attacks were able to restore data from backups, the lowest rate in four years.
On a positive note, the cost of recovery excluding ransom payments dropped by 40 percent to $1.65 million, the lowest average in three years. This decline reflects efficiency gains in remediation and response processes, possibly due to better incident response planning and increased adoption of managed security services.
However, ransomware continues to have a direct impact on retail operations and personnel. Nearly half (47 percent) of IT and cybersecurity teams reported increased workload and stress following encryption incidents, while 26 percent of affected companies saw leadership changes as a direct consequence of the attacks.
Drawing from its extensive field experience, Sophos offered a number of recommendations to help retail organisations strengthen their cyber resilience. The firm advised retailers to eliminate root causes of compromise by addressing common vulnerabilities and operational weaknesses that attackers often exploit. It noted that proactive solutions, such as Sophos Managed Risk, could help businesses identify exposure points and reduce overall risk across their environments.
Sophos also stressed the importance of defending every endpoint, including servers and network assets, with dedicated anti-ransomware protection to prevent attackers from gaining a foothold within company systems. Beyond technical defenses, the report urged retailers to plan and prepare by establishing and routinely testing comprehensive incident response plans, while maintaining reliable backups and regularly practising data restoration to minimise downtime during an attack.
Finally, the cybersecurity company underscored the need for constant vigilance through round-the-clock monitoring. It said continuous visibility is critical in today’s threat landscape, and organisations lacking in-house expertise can significantly strengthen their resilience by partnering with trusted Managed Detection and Response (MDR) providers to ensure 24/7 threat detection and expert response capability.
Wisniewski concluded by emphasising that successful security programs are built around risk management rather than reactive measures. “To assess and manage those risks, retailers must have visibility into the threats they face as well as their assets and their security posture,” he said, “Organisations that combine strong asset management and patching with MDR and managed risk services prevent more and recover faster, taking a proactive approach to their cyber defenses.”
The State of Ransomware in Retail 2025 underscores both the progress and the persistent vulnerabilities shaping the global retail industry’s battle against ransomware. While more retailers are strengthening their defenses and improving response times, the relentless evolution of cyber adversaries continues to make resilience not just recovery—the defining measure of effective cybersecurity.
