Ransomware attacks against global retailers are becoming more expensive and more complex, with median ransom demands doubling to $2 million this year as companies continue to battle unseen vulnerabilities across their systems, according to a new report by cybersecurity firm Sophos.

The Sophos State of Ransomware in Retail 2025 report, released on Tuesday, reveals that 58 percent of retailers hit by ransomware ended up paying to regain access to their data, the second-highest payment rate in five years.

The findings underscore how cybercriminals are tightening their grip on one of the world’s most data-rich sectors, exploiting weaknesses that many companies did not even know existed.

Nearly half of all ransomware incidents in retail, 46 percent were traced back to unknown security gaps, making this the most common root cause of attacks. Another 30 percent stemmed from known but unpatched vulnerabilities, marking the third consecutive year that poor vulnerability management has ranked among the top technical causes.

Sophos’ research paints a picture of an industry that is improving its detection capabilities but still struggling to get ahead of fast-evolving threat actors.

“Retailers globally are facing a more complex threat landscape where adversaries are constantly exploiting existing vulnerabilities, most frequently in remote access and internet-facing networking equipment. With ransom demands reaching new highs, the need to implement comprehensive security strategies is even more apparent,” said Chester Wisniewski, global field CISO at Sophos.

The Sophos X-Ops team observed close to 90 distinct ransomware or extortion groups targeting retailers in the past year, including Akira, Cl0p, Qilin, PLAY, and Lynx. Beyond ransomware, account compromise and business email compromise attacks have emerged as top-tier risks for retail organizations, many of which operate sprawling digital infrastructures to manage logistics, supply chains, and customer engagement.

Even as attackers grow more aggressive, the retail industry has shown signs of resilience. The share of attacks that resulted in data encryption dropped to 48 percent, a five-year low, suggesting that many organizations are improving at detecting and halting intrusions before they escalate. Similarly, the average ransom payment, while rising slightly to $1 million from $950,000 in 2024, remains roughly half of the average demand, indicating a stronger negotiating stance and greater reliance on expert guidance during crises.

Sophos also noted that recovery costs, excluding ransom payments, fell by 40 percent year-on-year to $1.65 million, the lowest level in three years. However, backup reliability is declining: only 62 percent of retailers were able to restore data from backups after an attack, the weakest recovery rate since 2021.

Limited in-house expertise remains another major challenge, cited as a contributing factor in 45 percent of incidents. Without the right mix of skills, threat monitoring, and response capabilities, many retail organizations still find themselves outpaced by adversaries who continuously refine their tactics.

“Successful security programs are about managing risk through visibility. Organizations that pair strong asset management and patching with managed detection and response services prevent more and recover faster,” Wisniewski said.

Despite the mounting financial pressure, Sophos’ findings suggest that many retailers are now investing more strategically in cyber defence, prioritizing visibility, patch management, and around-the-clock threat monitoring to reduce exposure. But as attackers diversify their tactics, including a rise in extortion-only schemes where data is stolen but not encrypted, the battle between retail and ransomware groups is far from over.

Sophos gathered data for its 2025 report from 361 retail IT and cybersecurity leaders across 16 countries. All respondents had experienced ransomware attacks in the past 12 months, highlighting just how pervasive the threat has become for the global retail sector. (BusinessDay)