The retail industry had the second highest rate of ransomware attacks last year of all sectors surveyed after the media, leisure, and entertainment industry as 77% of retail firms surveyed worldwide were hit, according to the State of Ransomware in Retail 2022 from Sophos.
This was a 75% increase in ransomware attacks against retail compared with 2020, and also 11% more than the cross-sector average attack rate of 66%.
The survey polled 5,600 IT professionals in mid-sized organizations across 31 countries, including 422 respondents from the retail sector.
Chester Wisniewski, principal research scientist at Sophos, said organisations that are successfully defending against these attacks are not just using layered defenses, they are augmenting security with humans trained to monitor for breaches and actively hunting down threats that bypass the perimeter before they can detonate into even bigger problems.
“This year’s survey shows that only 28% of retail organisations targeted were able to stop their data from being encrypted, suggesting that a large portion of the industry needs to improve their security posture with the right tools and appropriately trained security experts to help manage their efforts,” said Wisniewski.
As the percentage of retail firms attacked by ransomware increased, so did the average ransom payment. In 2021, the average ransom payment was $226,044, a 53% increase when compared to 2020 ($147,811). However, this was less than one-third of the cross-sector average ($812,000).
Wisniewski said it’s likely that different threat groups are hitting different industries. Some of the low-skill ransomware groups ask for $50,000 to $200,000 in ransom payments, whereas the larger, more sophisticated attackers with increased visibility demand $1 million or more.
“With Initial Access Brokers (IABs) and Ransomware-as-a-Service (RaaS), it’s unfortunately easy for bottom-rung cybercriminals to buy network access and a ransomware kit to launch an attack without much effort,” he said. “Individual retail stores and small chains are more likely to be targeted by these smaller opportunistic attackers.”
Findings also show that the perceived increase in the volume and complexity of cyberattacks against the retail industry were slightly below the cross-sector average (55% and 55% respectively).
More than nine in 10 (92%) retail firms hit by ransomware said the attack impacted their ability to operate and 89% said the attack caused their organisation to lose business/revenue.
In 2021, the overall cost to retail organisations to remediate a ransomware attack was $1.27 million, down from $1.97 million in 2020.
When compared to 2020, the amount of data recovered after paying the ransom decreased (from 67% to 62%), as did the percentage of retail organisations that got all their data back (from 9% to 5%).
Sophos experts recommend that companies install and maintain high-quality defenses across all points in the environment. Review security controls regularly and make sure they continue to meet the organization’s needs.