Retailers trace ransomware incidents to unknown security gaps as demands and payments rise

A new Sophos report, involving a survey of 361 IT and cybersecurity leaders across 16 countries, reveals that 46% of retail ransomware incidents were traced to an unknown security gap.

Among organisations that had data encrypted, 58% paid the ransom to get their data back - the second highest payment rate in five years.

Key findings from the report:

• 46% of attacks began with an unknown security gap (top operational factor)

• 30% of attacks exploited known vulnerabilities (top technical root cause, third year running)

• 58% of victims with encrypted data paid; 48% of attacks resulted in encryption (five-year low)

• Median ransom demand doubled to $2 million from 2024; average payment increased 5% to $1 million

In the past year, the Sophos X-Ops has observed nearly 90 distinct threat groups target one or more retailers with ransomware or extortion across leak sites. The most active groups Sophos has tracked from incident response and MDR cases are Akira, Cl0p, Qilin, PLAY, and Lynx.

After ransomware, account compromise was the second most common incident type seen against retailers. And like many industries, retail is a consistent target of business email compromise (BEC) groups seeking to divert payments, which is the third most common incident type. 

“Retailers globally are facing a more complex threat landscape where adversaries are constantly on the lookout for and exploiting existing vulnerabilities, most frequently in remote access and internet facing networking equipment,” says Chester Wisniewski, Director, Global Field CISO at Sophos.

“Now, with ransom demands reaching new highs, the need to implement comprehensive security strategies is even more apparent. Without this, retailers risk ongoing operational disruption and lasting reputational damage that could take years to repair. Encouragingly, many are beginning to recognise this and respond by investing in their cyber defences, enabling them to stop attacks before they escalate and recover faster.”

Limited in-house expertise was the second most common operational driver of compromise (45%), followed by gaps in protection coverage (44%). Without the right skills and coverage, retailers struggle to detect and neutralise attacks.

Alongside these challenges, there are also signs of progress. The percentage of attacks stopped before encryption reached a five-year high. The data encryption rate is at its lowest level in five years, with only 48% of attacks now resulting in data encryption.

While the average retail ransom payment has risen by 5% ($1 million in 2025, up from $950k in 2024), the average ransom payment is half the average ransom demand, suggesting that retail organisations are becoming more resistant to inflated ransom demands and are potentially seeking expert advice to navigate ransomware attacks.

“In the end, successful security programmes are focused on risk management. To assess and manage those risks, retailers must have visibility into the threats they face as well as their assets and their security posture. Organisations that combine strong asset management and patching with managed detection and response services and managed risk services prevent more and recover faster, taking a proactive approach in their cyber defences,” says Wisniewski.

Although data encryption rates were at their lowest level in five years, adversaries are adapting as the proportion of retailers hit by extortion only attacks has tripled, rising from 2% in 2023 to 6% in 2025.

62% of retailers who experienced attacks restored their data using backups, the lowest rate in four years.

Looking closely at demands vs. payments, only 29% of retailers said their payment matched the initial demand. 59% paid less than the initial ask, while 11% paid more. Encouragingly, the average (mean) cost of recovering from a ransomware attack, excluding any ransom payment, has dropped by 40% over the past year to $1.65 million, its lowest point in three years.

47% of retail IT/cybersecurity teams reported increased pressure after experiencing data encryption, while one quarter of cases saw leadership teams replaced as a result.

2025 RTIH INNOVATION AWARDS

Cyber security was a key focus area at the 2025 RTIH Innovation Awards.

VoCoVo, Everseen, Sensei, Gander, Iceland, Olio, Trust Retail, East of England Co-op, Lekkerland SE, Poq, Mamas & Papas, Varner, Sitoo, and Zebra Technologies were among our winners this year.

We received a record number of entries and many fantastic examples of the continued resilience and dynamism of the retail space during hugely challenging times.

For a full rundown of all of the shortlisted entries, click here.

Our 2025 hall of fame entrants were revealed during a sold out event which took place at The HAC in Central London on 16th October and consisted of a drinks reception, three course meal, and awards ceremony presided over by award winning comedian, actress and writer Tiff Stevenson.

In his welcome speech, Scott Thompson, Founder and Editor, RTIH, said: “This is the awards’ fifth year as a physical event. We started off with just 30 people at the South Place Hotel not far from here, then moved to London Bridge Hotel, then The Barbican, and last year RIBA’s HQ in the West End.”

“But I’m conscious of the fact that, to quote the legend that is Taylor Swift, You’re only as hot as your last hit, baby. So, this year we’ve moved to our biggest venue yet, and also pulled in our largest number of entries to date and broken attendance records.”

He added: “This year’s submissions have without doubt been our best yet. To quote one of the judges: The examples of innovative developments across both traditional and digital retail spaces were truly remarkable.”

Congratulations to our winners, and a big thank you to our sponsors, judging panel, the legend that is Tiff Stevenson, and all those who attended our 2025 gathering.