Nearly half (46%) of retail ransomware incidents were traced to an unknown security gap, underscoring ongoing visibility challenges across the retail attack surface, according to a report from Sophos.
Among organizations that had data encrypted, 58% or three in every five paid the ransom to get their data back – the second highest payment rate in five years.
These are based on a vendor-agnostic survey of 361 IT and cybersecurity leaders across 16 countries, representing organizations with 100 to 5,000 employees. The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months.
This year’s report also revealed that 30% of attacks exploited known vulnerabilities and 48% of attacks resulted in encryption.
The median ransom demand doubled to $2 million from 2024; and the average payment increased 5% to $1 million.
In the past year, the Sophos X-Ops has observed nearly 90 distinct threat groups target one or more retailers with ransomware or extortion across leak sites. The most active groups Sophos has tracked from incident response and MDR cases are Akira, Cl0p, Qilin, PLAY, and Lynx.
After ransomware, account compromise was the second most common incident type seen against retailers. Like many industries, retail is a consistent target of business email compromise (BEC) groups seeking to divert payments, which is the third most common incident type.
Limited in-house expertise was the second-most common operational driver of compromise (45%), followed by gaps in protection coverage (44%). Without the right skills and coverage, retailers struggle to detect and neutralize attacks.
Alongside these challenges, there are also signs of progress. The percentage of attacks stopped before encryption reached a five-year high, indicating that retail organizations are improving their ability to detect and neutralize attacks swiftly.
The data encryption rate is at its lowest level in five years, with only 48% of attacks now resulting in data encryption.
While the average retail ransom payment has risen by 5% ($1 million in 2025, up from $950,000 in 2024), the average ransom payment is half the average ransom demand, suggesting that retail organizations are becoming more resistant to inflated ransom demands and are potentially seeking expert advice to navigate ransomware attacks.
“In the end, successful security programs are focused on risk management. To assess and manage those risks, retailers must have visibility into the threats they face as well as their assets and their security posture,” said Chester Wisniewski, director, global field CISO, Sophos. “Organizations that combine strong asset management and patching with Managed Detection and Response services and managed risk services prevent more and recover faster, taking a proactive approach in their cyber defenses.”
Findings also show that data encryption is falling, but adversaries are adapting: Although data encryption rates were at their lowest level in five years, adversaries are adapting as the proportion of retailers hit by extortion-only attacks has tripled, rising from 2% in 2023 to 6% in 2025.
Backup rates are falling as 62% of retailers who experienced attacks restored their data using backups, the lowest rate in four years.
Retailers are resisting ransom demands and only 29% of retailers said their payment matched the initial demand. Also, 59% paid less than the initial ask, while 11% paid more.
Recovery costs are on the decline. Encouragingly, the average (mean) cost of recovering from a ransomware attack, excluding any ransom payment, has dropped by 40% over the past year to $1.65M, its lowest point in three years.
Ransomware attacks directly impacted teams. Almost half (47%) of retail IT/cybersecurity teams reported increased pressure after experiencing data encryption, while one quarter of cases (26%) saw leadership teams replaced as a result.
