2025-11-10
SOPHOS Report: More Than Half of Retailers Choose to Pay the Ransom After a Ransomware Attack
Sophos has released the fifth annual State of Ransomware in Retail report.
This vendor-agnostic survey gathered insights from IT and cybersecurity leaders across 16 countries, offering an in-depth look at how ransomware attacks are impacting the retail sector.
This year’s findings show that nearly half (46%) of retail ransomware incidents were caused by previously unknown security vulnerabilities, highlighting ongoing challenges the industry faces in gaining visibility across its attack surface.
Among organizations whose data was encrypted, 58% chose to pay the ransom to recover their information—the second-highest payment rate recorded in the past five years.
This vendor-agnostic survey gathered insights from IT and cybersecurity leaders across 16 countries, offering an in-depth look at how ransomware attacks are impacting the retail sector.
This year’s findings show that nearly half (46%) of retail ransomware incidents were caused by previously unknown security vulnerabilities, highlighting ongoing challenges the industry faces in gaining visibility across its attack surface.
Among organizations whose data was encrypted, 58% chose to pay the ransom to recover their information—the second-highest payment rate recorded in the past five years.
Key Findings from the Report:
▪️ 46% of ransomware incidents in the retail sector were linked to previously undetected security vulnerabilities.
▪️ 58% of organizations whose data was encrypted paid the ransom, marking the second-highest payment rate in the past five years.
▪️ Retailers continue to struggle with limited visibility across their attack surface, making it harder to identify threats early.
▪️ The report highlights a growing need for stronger cyber resilience, especially as attacks become more sophisticated and frequent.
▪️ 58% of organizations whose data was encrypted paid the ransom, marking the second-highest payment rate in the past five years.
▪️ Retailers continue to struggle with limited visibility across their attack surface, making it harder to identify threats early.
▪️ The report highlights a growing need for stronger cyber resilience, especially as attacks become more sophisticated and frequent.
Threat Trends Observed by Sophos in the Retail Sector
Over the past year, Sophos X-Ops observed nearly 90 different threat groups that targeted one or more retail organizations using ransomware or extortion tactics, as documented on data leak sites. The most active threat actors tracked through Sophos’ incident response and MDR cases include Akira, Cl0p, Qilin, PLAY, and Lynx.
Aside from ransomware attacks, account compromise was the second most common type of security incident in the retail sector. Similar to many other industries, retailers are also frequent targets of business email compromise (BEC) groups attempting to steal or redirect funds. BEC was identified as the third most common incident type.
Sophos Field CTO Chester Wisniewski noted that retailers worldwide are facing an increasingly complex threat landscape. Attackers continue to discover and exploit existing vulnerabilities—particularly those related to remote access and internet-facing network devices. With ransomware demands reaching record highs, organizations urgently need a comprehensive security strategy. Without adequate protection, retailers risk long-term operational disruption and reputational damage, which can take years to recover from. The good news, however, is that many companies are now recognizing these challenges and investing in stronger cyber defenses, enabling them to stop attacks earlier and improve recovery efficiency.
A lack of internal cybersecurity expertise was identified as the second most significant operational factor leading to compromise (45%), followed by insufficient security coverage (44%). Without adequate skills and defenses, retailers struggle to detect and contain attacks effectively.
Despite these challenges, the report also reveals several positive trends. The percentage of attacks stopped before data encryption reached a five-year high, indicating improvements in early detection and rapid response. Meanwhile, the proportion of attacks that resulted in encrypted data dropped to a five-year low, with only 48% of incidents leading to encryption.
Although the average ransom payment in the retail sector rose by 5% (USD 1 million in 2025, up from USD 950,000 in 2024), the average actual payment was only about half of the average ransomware demand. This suggests that retailers are becoming more resistant to excessive demands and may be seeking expert assistance in responding to ransomware incidents.
Wisniewski added that a truly effective cybersecurity program must ultimately be rooted in risk management. To properly assess and mitigate these risks, retailers need clear visibility into their threats, assets, and overall security posture. Organizations that combine strong asset management and patching practices with Managed Detection and Response (MDR) and Managed Risk Services are better positioned to prevent attacks, accelerate recovery, and strengthen their defenses proactively.
Aside from ransomware attacks, account compromise was the second most common type of security incident in the retail sector. Similar to many other industries, retailers are also frequent targets of business email compromise (BEC) groups attempting to steal or redirect funds. BEC was identified as the third most common incident type.
Sophos Field CTO Chester Wisniewski noted that retailers worldwide are facing an increasingly complex threat landscape. Attackers continue to discover and exploit existing vulnerabilities—particularly those related to remote access and internet-facing network devices. With ransomware demands reaching record highs, organizations urgently need a comprehensive security strategy. Without adequate protection, retailers risk long-term operational disruption and reputational damage, which can take years to recover from. The good news, however, is that many companies are now recognizing these challenges and investing in stronger cyber defenses, enabling them to stop attacks earlier and improve recovery efficiency.
A lack of internal cybersecurity expertise was identified as the second most significant operational factor leading to compromise (45%), followed by insufficient security coverage (44%). Without adequate skills and defenses, retailers struggle to detect and contain attacks effectively.
Despite these challenges, the report also reveals several positive trends. The percentage of attacks stopped before data encryption reached a five-year high, indicating improvements in early detection and rapid response. Meanwhile, the proportion of attacks that resulted in encrypted data dropped to a five-year low, with only 48% of incidents leading to encryption.
Although the average ransom payment in the retail sector rose by 5% (USD 1 million in 2025, up from USD 950,000 in 2024), the average actual payment was only about half of the average ransomware demand. This suggests that retailers are becoming more resistant to excessive demands and may be seeking expert assistance in responding to ransomware incidents.
Wisniewski added that a truly effective cybersecurity program must ultimately be rooted in risk management. To properly assess and mitigate these risks, retailers need clear visibility into their threats, assets, and overall security posture. Organizations that combine strong asset management and patching practices with Managed Detection and Response (MDR) and Managed Risk Services are better positioned to prevent attacks, accelerate recovery, and strengthen their defenses proactively.
According to the “2025 State of Ransomware in Retail” report
- Drop in data encryption, but attackers are shifting tactics:
Although the rate of data encryption has fallen to its lowest point in five years, attackers are changing strategies. The share of retail organizations hit by intimidation-only attacks has tripled, rising from 2% in 2023 to 6% in 2025. - Decline in backup usage:
Among affected retailers, only 62% were able to restore data using backups — the lowest rate in four years. - Retailers increasingly resist ransom demands:
When comparing ransom demands with actual payments, only 29% of retailers said they paid the full amount requested. 59% paid less than the original demand, while 11% ended up paying more. - Recovery costs are trending downward:
Notably, the average cost of recovery from a ransomware attack (excluding ransom payments) dropped by 40% compared to last year, falling to USD 1.65 million, the lowest in three years. - Ransomware attacks directly affect internal teams:
Nearly half (47%) of retail IT/security teams reported increased stress after their data was encrypted, and 26% of incidents resulted in changes to executive leadership.
Strengthening long-term defense capabilities
According to Sophos’ global experience in safeguarding the retail industry, the following best practices can help organizations proactively defend against ransomware and other cyber threats:
- Eliminate the root cause:
Take proactive measures to address common technical and operational weaknesses, such as vulnerabilities frequently exploited by attackers. With solutions like Sophos Managed Risk, organizations can assess their exposure level and reduce overall risk. - Protect every endpoint:
Ensure that all endpoints—including servers—are equipped with dedicated anti-ransomware protection to prevent breaches and lateral movement. - Plan and prepare:
Establish a comprehensive incident response plan and test it regularly. Maintain reliable data backups and conduct routine recovery drills to minimize downtime in the event of an attack. - 24/7 monitoring:
Continuous visibility is critical. For organizations lacking internal resources, partnering with a trusted Managed Detection and Response (MDR) provider can strengthen resilience through round-the-clock threat monitoring and expert incident response.
