Hackers hit retail weak points as 58% of victims pay ransom – Report

hackers

By Chinenye Anuforo

More than half of retail companies hit by ransomware attacks paid hackers to recover their data in 2025, even as ransom demands doubled, a new report by cybersecurity firm Sophos has revealed.

According to the State of Ransomware in Retail 2025, 58 per cent of retailers whose data was encrypted paid the ransom , the second-highest payment rate in five years. The study also showed that 46 per cent of ĺransomware incidents originated from security gaps organisations did not know existed.

The survey, which polled 361 IT and cybersecurity leaders across 16 countries between January and March 2025, found that 30 per cent of attacks exploited previously known vulnerabilities, marking the third consecutive year this has remained the leading technical cause of breaches.

Sophos disclosed that the median ransom demand jumped to $2 million in 2025, up from $1 million in 2024, while the average ransom paid increased five per cent to $1 million.

Despite the rise in demands, 59 per cent of affected retailers negotiated lower payments, 29 per cent paid the exact sum requested, and 11 per cent paid more than the original demand.

The report identified at least 90 ransomware groups targeting the retail sector, with Akira, Cl0p, Qilin, PLAY and Lynx among the most active. Account compromise and business email compromise (BEC) were the second and third most common cyber incidents affecting retailers.

Chester Wisniewski, Director and Global Field CISO at Sophos, said attackers are increasingly targeting internet-facing systems and remote access points used by retailers.

“Ransom demands are reaching new highs, and without better visibility and security coverage, retailers will continue to face operational disruption and long-term reputational damage,” Wisniewski said.

The report also flagged cybersecurity staffing challenges, noting that 45 per cent of breaches were linked to limited in-house expertise, while 44 per cent were tied to gaps in security coverage.

While ransom payments persisted, some improvements were recorded. The percentage of attacks that resulted in data encryption dropped to 48 per cent, the lowest in five years. Attacks stopped before encryption reached a five-year high, indicating improved detection and response capabilities.

However, reliance on backups declined for the fourth consecutive year, with only 62 per cent of retailers restoring data from backups, the lowest rate since 2021.

The report also showed a 40 per cent reduction in recovery costs, excluding ransoms, with average remediation expenses falling to $1.65 million, the lowest in three years.

Nearly half (47 per cent) of retail cybersecurity teams reported increased internal pressure following an attack, while 26 per cent of organisations replaced senior leadership after incidents.

Sophos warned of a shift in attack strategy, with extortion-only attacks tripling from two per cent in 2023 to six per cent in 2025.

To strengthen defences, the firm advised retailers to patch vulnerabilities faster, secure endpoints, deploy continuous threat monitoring, test incident response plans, and adopt Managed Detection and Response (MDR) services for round-the-clock surveillance.

Breaking news & top stories

Stay connected with The Sun Newspaper

Get breaking news, exclusive stories, and live updates delivered straight to your phone. Join thousands of readers already following us on Whatsapp Channel and Telegram.

Breaking news & top stories

Follow The Sun Newspaper

Get live updates & exclusive stories delivered straight to your phone.

Breaking news & top stories

Stay connected with The Sun Newspaper

Get breaking news, exclusive stories, and live updates delivered straight to your phone. Join thousands of readers already following us on Whatsapp Channel and Telegram.