The latest Sophos State of Ransomware in Retail report paints a mixed picture for the global retail sector, a landscape where cybercriminals continue to evolve even as defenders grow more resilient.
Here are 10 key takeaways from this year’s findings:
1. Unknown Security Gaps Still Dominate
Nearly half (46%) of retail ransomware incidents were traced back to previously unknown vulnerabilities, highlighting major visibility and risk assessment challenges within retail IT environments.
2. Known Flaws Remain an Open Door
For the third consecutive year, exploiting known vulnerabilities ranked as the top technical cause of ransomware attacks, proving that patch management remains a weak link for many retailers.
3. Ransom Payments Are Rising
A staggering 58% of retailers with encrypted data admitted to paying the ransom, marking one of the highest payment rates in five years.
4. Ransom Demands Double
The median ransom demand soared to $2 million, doubling from 2024, while the average payment climbed to $1 million, a 5% increase.
5. Encryption Rates Hit a Five-Year Low
There’s a silver lining: only 48% of attacks now result in data encryption, the lowest figure in five years. Retailers are getting better at detecting and stopping attacks midstream.
6. Extortion-Only Attacks Are Rising
Even as encryption declines, extortion-only attacks, where hackers steal and threaten to leak data, have tripled from 2% in 2023 to 6% in 2025.
7. Recovery Costs Are Falling
The average cost of recovery, excluding ransom payments, dropped 40% to $1.65 million, the lowest in three years, a positive sign that incident response and resilience strategies are improving.
8. Limited Expertise Still Hurts Defenses
45% of respondents cited limited in-house cybersecurity expertise as a major weakness, followed closely by gaps in protection coverage (44%). Skills shortage remains a top operational challenge.
9. Human and Leadership Impact is Growing
Beyond financial loss, ransomware is taking a human toll. 47% of IT teams reported increased stress post-attack, and 26% of retailers replaced leadership teams after data encryption incidents.
10. Ransomware Groups Are Expanding Their Reach
Sophos tracked nearly 90 ransomware or extortion groups targeting retailers in the past year, with Akira, Cl0p, Qilin, PLAY, and Lynx among the most active.
The Bottom Line
The Sophos report underscores a critical truth: while retailers are becoming more prepared, attackers are also adapting. Proactive visibility, skilled personnel, and 24/7 threat monitoring are no longer optional, they’re essential.
