Terry KS Sophos’ latest State of Ransomware in Retail 2025 report shows that 46% of retail ransomware attacks originated from unidentified security gaps, while ransom demands and payments continue to surge. Although data encryption is declining, cybercriminals are adapting with new extortion-only tactics.
MALAYSIA, 25 NOVEMBER 2025 – Sophos, a global leader in cybersecurity solutions, has released its fifth annual State of Ransomware in Retail report, highlighting escalating risks and shifting tactics within the retail cyber threat landscape. Based on a vendor-agnostic survey of IT and cybersecurity leaders from 16 countries, the findings reveal that nearly half (46%) of retail ransomware incidents began with an unknown security gap, underscoring ongoing challenges in visibility and attack surface management.
The report shows that technical vulnerabilities remain a primary concern, with 30% of attacks exploiting known flaws for the third consecutive year. While data encryption rates have hit a five-year low at 48%, retail organizations are still paying ransoms at high rates—58% of those with encrypted data opted to pay, marking the second highest level in five years. Median ransom demands have also doubled to US$2 million, while the average ransom payment rose to US$1 million.
Sophos X-Ops observed nearly 90 distinct threat groups targeting retailers over the past year, with Akira, Cl0p, Qilin, PLAY, and Lynx among the most active operators. Beyond ransomware, account compromise and business email compromise (BEC) remain significant threats, with attackers frequently attempting payment diversion schemes.
Chester Wisniewski, Director and Global Field CISO at Sophos, said retailers are facing increasingly sophisticated adversaries who exploit both technical vulnerabilities and operational weaknesses. He noted that ransom demands are reaching new highs, making comprehensive security strategies vital for minimizing disruption and reputational damage.
Limited in-house expertise (45%) and protection gaps (44%) were identified as major operational risk factors contributing to compromises. However, the industry is also showing signs of progress: more attacks are being stopped before encryption, and the data encryption rate is at its lowest point in five years. Retailers are also pushing back on ransom demands, with 59% paying less than the initial amount requested.
The report highlights several positive trends. Recovery costs, excluding ransom payments, have dropped by 40% to US$1.65 million—the lowest in three years. Still, the impact on personnel remains significant, with 47% of IT and cybersecurity teams reporting increased pressure and 26% of leadership teams being replaced after ransomware incidents.
Sophos recommends strengthening defenses through improved vulnerability management, comprehensive endpoint protection, regular incident response planning, and 24/7 monitoring via Managed Detection and Response (MDR) services. These measures can help retailers identify risks earlier, prevent escalation, and recover more efficiently.
The State of Ransomware in Retail 2025 report is based on responses from 361 retail organizations with 100 to 5,000 employees. All participants experienced a ransomware attack within the past year. Sophos will continue releasing industry-specific findings throughout 2025.