New research from Sophos shows that 58 percent of retail organizations pay ransom after a ransomware attack. Unknown vulnerabilities remain a key entry point for attackers.
According to Sophos’s new State of Ransomware in Retail 2025 report, 58 percent of retail organizations affected by ransomware paid ransom to recover their data. This is the second-highest payment rate in five years. In total, 46 percent of respondents say their incident was caused by an unknown security vulnerability.
Ransomware in Retail Sector
More than half of surveyed retailers pay ransom after a ransomware attack, according to Sophos research. Additionally, 30 percent of attacks exploit known vulnerabilities. The median ransom demand doubled to $2 million over the past year. The average payment increased slightly to $1 million.
read also
“not Paying for Ransomware? Easier Said than Done”
Although the proportion of ransomware attacks where data was effectively encrypted dropped to 48 percent, the lowest level in five years, the number of incidents demanding ransom is increasing. Meanwhile, 62 percent of affected organizations say they could recover their data using backups. This is the lowest percentage in four years.
Internal Pressure Increases
Sophos identified nearly 90 different threat groups targeting the retail sector last year. Groups such as Akira, Cl0p, Qilin, PLAY, and Lynx were most frequently involved, according to the report. Account compromise is the most common incident type in retail after ransomware, followed by attempts at payment fraud through business email compromise.
Internally, IT and cybersecurity teams in the sector are feeling the pressure from attacks. Nearly half report experiencing more stress after a ransomware incident, and in 26 percent of cases, management was replaced.
Despite these challenges, there is also progress. More attacks are being stopped in early stages, and recovery after an attack is becoming more efficient. The average recovery costs decreased by 40 percent to $1.65 million over the past year.