Sophos’ fifth annual State of Ransomware in Retail 2025 report paints a sobering picture of the retail sector’s ongoing battle with ransomware. Even as retailers have made headway in detection and mitigation, 58% of those whose data was encrypted still paid the ransom — a figure that underscores the persistent operational and visibility challenges facing the industry.
The report reveals that 46% of attacks stemmed from unknown security gaps, making blind spots one of the most critical vulnerabilities in retail cyber defense. While the rate of data encryption dropped to a five-year low of 48%, attackers are evolving — with extortion-only incidents tripling since 2023.
Ransom demands have also doubled, reaching a median of $2 million, while the average payment climbed 5% to $1 million. Despite these numbers, recovery costs excluding ransom have fallen 40% to $1.65 million, signaling that retailers are learning to recover faster and negotiate better.
“Retailers must move beyond reactive security and embrace visibility-first resilience.”
— Chester Wisniewski, Director, Global Field CISO, Sophos
Chester Wisniewski, Director and Global Field CISO at Sophos, warned that “retailers globally are facing a more complex threat landscape where adversaries are constantly exploiting existing vulnerabilities, particularly in remote access and networking equipment.” He added that only a proactive, visibility-driven defense can prevent operational disruption and reputational damage.
Interestingly, limited in-house expertise (45%) and incomplete protection coverage (44%) remain top contributors to breaches. Retailers are struggling to bridge the talent gap even as threat sophistication rises. However, there is cautious optimism — more attacks are being stopped before encryption, and fewer organizations are giving in to inflated ransom demands.
The findings reinforce a fundamental truth: ransomware is no longer just a technology challenge but a test of resilience and readiness. For retail, the path forward lies in combining managed detection and response (MDR), strong asset management, and continuous threat visibility — the building blocks of modern cyber resilience.
