With UK retailers like M&S and Co-op only just beginning to get back on their feet following a wave of crippling cyber-attacks against the retail sector, a new report from Sophos has shed light on previously unexplored causes and consequences of these attacks.
Despite the unquestionable increase in the sophistication of hackers, the cybersecurity firm’s latest report, The State of Ransomware in Retail 2025, lays part of the blame on retailers themselves, finding that multiple operational factors contribute to these organisations falling victim to ransomware.
After polling more than 360 retail businesses hit by ransomware in the past year, Sophos found that unknown security gaps contributed to almost half (46%) of cyber-attacks, with retail victims identifying exploited vulnerabilities as the most common technical root cause of attack, used in 30% of incidents.
These issues are compounded by a distinct lack of security expertise, a factor in 45% of ransomware incidents, and a lack of adequate protection, with 67% of victims admitting that poor-quality protection systems had been unable to stop an attack.
Aside from the readiness issues, Sophos also found that retailers are unprepared for recovery, even in the face of growing threats.
According to the report, the use of backups by retailers to restore encrypted data has fallen to the lowest rate in four years, making it unsurprising that more retailers are paying ransoms to recover data.
While 98% of retailers said that they had managed to recover their data, the number of those paying has nearly doubled from 2021, going from 32% to 58% this year, despite the data encryption rate in the retail sector being at its lowest level in five years.
However, the slight silver lining is that after looking closely at demands vs. payments, Sophos found that only 29% of retailers said their payment matched the initial demand, with over half (59%) handing over less than their hackers wanted, while just 11% paid more.
Meanwhile, the average cost of recovery has also dropped, falling by 40% to $1.65 million (£1.2m), and retailers are also recovering faster, with 51% recovered within a week in 2025, up from 46% in 2024.
While the figures suggest that retailers are beginning to strengthen their operations and bottom line, Sophos’ data shows that they should also consider the human impact of ransomware.
Recommended reading
Every retailer hit by an attack reported direct repercussions for its IT and security teams, including more pressure from senior leaders (47%), a spike in workloads (43%), and a spate of absences due to stress and mental health problems (37%).
More than two-fifths (41%) of retailers said they were forced to restructure their teams as a consequence of ransomware, while 26% went as far as replacing leadership.
“Although retail organisations have experienced several changes in their encounters with ransomware over the last year, it remains a significant threat,” concludes the report.
“As adversaries continue to iterate and evolve their attacks, it’s essential that defenders and their cyber defences keep pace with ransomware and other threats.”
Related
