- Advertisement -
Nearly half (46%) of retail ransomware incidents were traced to an unknown security gap, underscoring ongoing visibility challenges across the retail attack surface, according to a report from Sophos.
Among organizations that had data encrypted, 58% or three in every five paid the ransom to get their data back – the second highest payment rate in five years.
These are based on a vendor-agnostic survey of 361 IT and cybersecurity leaders across 16 countries, representing organizations with 100 to 5,000 employees. The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months.
This year’s report also revealed that 30% of attacks exploited known vulnerabilities and 48% of attacks resulted in encryption.
The median ransom demand doubled to $2 million from 2024; and the average payment increased 5% to $1 million.
In the past year, the Sophos X-Ops has observed nearly 90 distinct threat groups target one or more retailers with ransomware or extortion across leak sites. The most active groups Sophos has tracked from incident response and MDR cases are Akira, Cl0p, Qilin, PLAY, and Lynx.
After ransomware, account compromise was the second most common incident type seen against retailers. Like many industries, retail is a consistent target of business email compromise (BEC) groups seeking to divert payments, which is the third most common incident type.
Limited in-house ex
Source: https://www.frontier-enterprise.com/3-in-5-retailers-hit-by-ransomware-pay-the-ransom/
Sophos cybersecurity rating report: https://www.rankiteo.com/company/sophos
"id": "SOP1764792712",
"linkid": "sophos",
"type": "Ransomware",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': None,
'industry': 'retail',
'location': '16 countries',
'name': None,
'size': '100 to 5,000 employees',
'type': 'retail organizations'}],
'attack_vector': ['unknown security gap',
'known vulnerabilities'],
'data_breach': {'data_encryption': '48% of attacks resulted in '
'encryption',
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'description': 'Nearly half of retail ransomware incidents were '
'traced to an unknown security gap, with 58% of '
'affected organizations paying the ransom. The '
'median ransom demand doubled to $2 million, and '
'the average payment increased to $1 million. '
'Multiple threat groups targeted retailers, with '
'ransomware and account compromise being the most '
'common incident types.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': ['median ransom demand: $2 million',
'average ransom payment: $1 '
'million'],
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'lessons_learned': 'Ongoing visibility challenges across the '
'retail attack surface and the prevalence of '
'unknown security gaps highlight the need for '
'improved threat detection and response.',
'motivation': ['financial gain'],
'post_incident_analysis': {'corrective_actions': None,
'root_causes': ['unknown security gap',
'known '
'vulnerabilities']},
'ransomware': {'data_encryption': '48% of attacks resulted in '
'encryption',
'data_exfiltration': None,
'ransom_demanded': '$2 million (median)',
'ransom_paid': '$1 million (average), 58% of '
'affected organizations paid',
'ransomware_strain': ['Akira',
'Cl0p',
'Qilin',
'PLAY',
'Lynx']},
'references': [{'date_accessed': None,
'source': 'Sophos',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'threat_actor': ['Akira', 'Cl0p', 'Qilin', 'PLAY', 'Lynx'],
'title': 'Retail Ransomware and Extortion Incidents (2024-2025)',
'type': ['ransomware',
'extortion',
'account compromise',
'business email compromise'],
'vulnerability_exploited': ['unknown security gap',
'known vulnerabilities']}