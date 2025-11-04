More than half of retailers pay up when hit by ransomware

Hacker money servers

New research from Sophos into ransomware in the retail industry shows that among organizations that had data encrypted, 58 percent paid the ransom to get their data back -- the second highest payment rate in five years.

The survey, of 361 retail IT and cybersecurity leaders across 16 countries, also finds that 46 percent of attacks began with an unknown security gap, while 30 percent exploited known vulnerabilities. 58 percent of victims with encrypted data paid, however, only 48 percent of attacks resulted in encryption. The median ransom demand doubled to $2 million from 2024 and average payment increased five percent to $1 million.

Over the past year nearly 90 distinct threat groups have targeted one or more retailers with ransomware or extortion across leak sites. The most active groups Sophos has tracked from incident response and MDR cases are Akira, Cl0p, Qilin, PLAY, and Lynx.

“Retailers globally are facing a more complex threat landscape where adversaries are constantly on the lookout for and exploiting existing vulnerabilities, most frequently in remote access and internet facing networking equipment. Now, with ransom demands reaching new highs, the need to implement comprehensive security strategies is even more apparent. Without this, retailers risk ongoing operational disruption and lasting reputational damage that could take years to repair. Encouragingly, many are beginning to recognize this and respond by investing in their cyber defenses, enabling them to stop attacks before they escalate and recover faster,” says Chester Wisniewski, director and global field CISO at Sophos.

With only 48 percent of attacks now resulting in data encryption the percentage of attacks stopped before encryption reached a five-year high, indicating that retail organizations are improving their ability to detect and neutralize attacks swiftly. Indeed the data encryption rate is at its lowest level in five years.

There is evidence of reluctance to pay demanded sums though, only 29 percent of retailers say their payment matched the initial demand. 59 percent paid less than the initial ask, while 11 percent paid more.

You can get the full report from the Sophos site.

Image credit: Elnur/Dreamstime.com

