Sophos’ newest annual examine explores the real-world ransomware experiences of 361 retail organizations that had been hit by ransomware prior to now yr. The report examines how the causes and penalties of those assaults have advanced over time.
This yr’s version additionally sheds new gentle on beforehand unexplored areas, together with the organizational components that left retailers uncovered and the human toll ransomware takes on retail IT and cybersecurity groups.
Obtain the report back to discover the complete findings.
Exploited vulnerabilities, unknown safety gaps, and restricted experience underpin the primary root causes of assaults
For the third yr operating, retail victims recognized exploited vulnerabilities as the commonest technical root reason for assault, utilized in 30% of incidents.
A number of organizational components contribute to retail organizations falling sufferer to ransomware, with the commonest being unknown safety gaps named by near half (46%) of victims. It’s adopted in very shut succession by a lack of information, which was a contributing think about 45% of assaults — the best fee recorded of any sector surveyed.
Organizational root reason for assaults in retail
Information encryption falls to a five-year low, whereas thwarted encryption makes an attempt hit a file excessive
Information encryption within the retail sector has dropped to its lowest stage in 5 years, with fewer than half (48%) of assaults leading to encryption, down from a peak of 71% in 2023. In keeping with this pattern, the proportion of assaults stopped earlier than encryption reached a five-year excessive, indicating that retail organizations are strengthening their defenses.
Nevertheless, adversaries are adapting: the proportion of outlets hit by extortion-only assaults (the place information wasn’t encrypted however a ransom was nonetheless demanded) has tripled, rising from 2% in 2023 to six% in 2025.
Information encryption in retail | 2021 – 2025
Rising ransom fee charges and declining backup use sign a shift in retail information restoration methods
The proportion of outlets paying the ransom to get well information has practically doubled since 2021 (from 32% to 58% in 2025, nicely above the 49% cross-sector common). Backup use is at a four-year low, and though nonetheless marginally extra widespread than ransom funds, the narrowing hole suggests a larger reliance on a number of/various restoration strategies.
Restoration of encrypted information in retail | 2021 – 2025
Ransom calls for soar, however retailers stand agency
The typical (median) ransom demand made to retail organizations has doubled prior to now yr, reaching $2M in 2025 in comparison with $1M in 2024. This sharp improve is basically pushed by a 59% rise within the proportion of calls for exceeding $5M, which grew from 17% in 2024 to 27% in 2025. Regardless of this, the median ransom fee has elevated by simply 5%, from $950K in 2024 to $1M in 2025, indicating that retailers are displaying larger resistance to inflated calls for.
Encouragingly, the common (imply) value of recovering from a ransomware assault, excluding any ransom fee, has dropped by 40% over the previous yr to $1.65M, its lowest level in three years.
These developments counsel that, whereas menace actors are demanding extra, retail organizations have gotten extra resilient by bettering restoration processes and doubtlessly holding firmer in ransom negotiations.
Ransomware assaults place important stress on retail IT/cybersecurity groups from senior management
The survey makes clear that having information encrypted in a ransomware assault has important repercussions for IT/cybersecurity groups within the retail sector, with elevated stress from senior leaders cited by near half (47%) of respondents. Different repercussions embrace (however will not be restricted to):
- Elevated nervousness or stress about future assaults — cited by 43%.
- Employees absences as a consequence of stress/psychological well being points — cited by 37%.
- Emotions of guilt that the assault was not stopped — cited by 34%.
Obtain the complete report for extra insights into the human and monetary impacts of ransomware on the retail sector.
Concerning the survey
The report relies on the findings of an impartial, vendor-agnostic survey commissioned by Sophos of three,400 IT/cybersecurity leaders throughout 17 international locations within the Americas, EMEA, and Asia Pacific, together with 361 from the retail sector. All respondents symbolize organizations with between 100 and 5,000 staff. The survey was performed by analysis specialist Vanson Bourne between January and March 2025, and members had been requested to reply primarily based on their experiences over the earlier yr.
