Sophos report reveals rising ransom demands, persistent security gaps, and growing pressure on retail IT teams despite signs of progress.
Sophos has released its fifth annual State of Ransomware in Retail 2025 report, uncovering critical insights into how ransomware continues to disrupt the global retail sector. The findings highlight a troubling trend: 58% of retailers whose data was encrypted paid the ransom, marking the second-highest payment rate in five years. Meanwhile, ransom demands have doubled to a median of \$2 million, and average payments climbed to \$1 million.
Key operational and technical weaknesses remain a major concern. Nearly 46% of attacks began with an unknown security gap, while 30% exploited known vulnerabilities—a recurring issue for the third consecutive year. Limited in-house expertise (45%) and gaps in protection coverage (44%) further compound the challenge.
“Retailers globally are facing a more complex threat landscape where adversaries are constantly on the lookout for and exploiting existing vulnerabilities.”
— Chester Wisniewski, Director, Global Field CISO, Sophos
Chester Wisniewski, Director, Global Field CISO at Sophos, warned:
“With ransom demands reaching new highs, the need to implement comprehensive security strategies is even more apparent. Without this, retailers risk ongoing operational disruption and lasting reputational damage that could take years to repair.”
Despite these challenges, there are signs of progress. The percentage of attacks stopped before encryption reached a five-year high, and encryption rates fell to 48%, their lowest point in years. Recovery costs also dropped by 40%, averaging \$1.65 million excluding ransom payments.
Sophos X-Ops observed nearly 90 distinct ransomware groups targeting retailers, with Akira, Cl0p, Qilin, PLAY, and Lynx among the most active. Extortion-only attacks tripled to 6%, while backup restoration rates fell to a four-year low of 62%.
Wisniewski added:
“Successful security programs are focused on risk management. Retailers must combine strong asset management and patching with Managed Detection and Response services to prevent more and recover faster.”
For full findings and best practices—including eliminating root causes, defending every endpoint, and implementing 24/7 monitoring—download the State of Ransomware in Retail 2025 report at https://www.sophos.com.
