Nearly half of retail ransomware attacks stem from unknown security gaps, according to Sophos’ 2025 State of Ransomware in Retail report, which warns of increasingly sophisticated threat groups and record-high ransom demands. Despite progress in early detection, retailers still face major challenges in visibility, recovery, and in-house expertise.
MALAYSIA, 7 NOVEMBER 2025 – Sophos, a global cybersecurity leader, has unveiled its fifth annual State of Ransomware in Retail 2025 report, revealing that 46% of retail ransomware incidents originated from unknown security gaps — highlighting ongoing visibility and protection challenges across the retail sector.
The vendor-agnostic survey, conducted across 16 countries, found that 58% of organizations with encrypted data paid the ransom to regain access, marking the second-highest payment rate in five years. Alarmingly, the median ransom demand doubled to USD 2 million in 2025, while the average payment rose to USD 1 million.
According to Sophos X-Ops, nearly 90 distinct ransomware and extortion groups have targeted retailers over the past year, with Akira, Cl0p, Qilin, PLAY, and Lynx being the most active. Following ransomware, account compromises and business email compromise (BEC) scams were identified as the second and third most common attack types, respectively.
Chester Wisniewski, Global Field CISO at Sophos, noted that attackers are relentlessly exploiting vulnerabilities, particularly in remote access and internet-facing systems. He urged retailers to adopt comprehensive security strategies to avoid prolonged operational disruption and reputational damage.
The report also found that limited in-house expertise (45%) and gaps in protection coverage (44%) were key operational drivers of compromise. However, there are signs of improvement: the percentage of attacks stopped before encryption reached a five-year high, and the data encryption rate dropped to 48%, its lowest point in half a decade.
While average ransom payments increased slightly, retailers appear more resistant to inflated demands. Only 29% of respondents said their payment matched the initial ransom ask, and recovery costs (excluding ransom) declined by 40% to USD 1.65 million — the lowest in three years.
Sophos also noted that ransomware directly impacts internal teams: 47% of IT and cybersecurity personnel reported increased work pressure following data encryption incidents, and 26% of organizations replaced leadership teams as a consequence.
The report advises retailers to focus on root-cause elimination, endpoint protection, incident response planning, and 24/7 threat monitoring. Sophos highlighted its Managed Detection and Response (MDR) and Managed Risk solutions as critical for continuous protection and faster recovery.
The State of Ransomware in Retail 2025 report is based on survey responses from 361 retail IT and cybersecurity leaders representing companies with 100 to 5,000 employees. The study was conducted between January and March 2025, with all respondents having experienced ransomware incidents within the past year.
For further details, retailers can download the full report and register for the webinar Behind the Shield: Real-World Stories of Thwarted Ransomware Attacks at Sophos.com.
