Estimated reading time: 3 minutes
The cost and complexity of ransomware attacks in the global retail sector have sharply escalated. This is according to the State of Ransomware in Retail 2025 report released by Sophos. The fifth annual survey reveals that nearly half of ransomware incidents [46%] stemmed from security gaps retailers didn’t know existed pointing to a deep visibility crisis in an industry increasingly dependent on digital operations.
While the proportion of attacks leading to full data encryption has fallen to a five-year low [48%]. Attackers are shifting tactics. Extortion-only incidents where criminals demand payment without encrypting data have tripled since 2023, signalling that cyber adversaries are refining their playbooks faster than many organizations can adapt.
The financial toll remains severe. Median ransom demands doubled to $2 million in 2025, while the average payment rose modestly to $1 million. Over half [58%] of retailers whose data was encrypted paid the ransom highlighting that even as recovery methods improve. Operational paralysis still drives many businesses to negotiate with attackers. Yet, resistance is growing. 59% of retailers managed to settle for less than the initial demand. This suggests a maturing approach to incident response and external advisory use.
Beyond the financial dimension, ransomware continues to reshape corporate governance. Nearly half [47%] of IT and cybersecurity teams reported increased internal pressure following an incident, and in a quarter of cases, leadership changes followed. Meanwhile, recovery costs excluding ransom fell by 40% to $1.65 million, the lowest in three years, suggesting gradual progress in incident readiness.
Strengthening Defenses for the Long Term
The report also reveals that 90 distinct threat groups targeted retailers in the past year, with Akira, Cl0p, Qilin, PLAY, and Lynx among the most active. Compromised credentials and business email compromise schemes ranked as the second and third most common attack types, reinforcing that ransomware often sits atop a broader ecosystem of digital intrusion.
Experts say the findings underscore a pressing need for visibility, skilled personnel, and proactive defense. “Successful security programs are ultimately about risk management,” said Chester Wisniewski, Sophos’ Global Field CISO. “Retailers that combine strong asset management with 24/7 threat monitoring prevent more and recover faster.”
As ransom inflation outpaces recovery budgets, the unspoken reality is clear: visibility gaps not just external adversaries remain the retail sector’s weakest link.
