Sophos’ latest annual study explores the real-world ransomware experiences of 361 retail organizations that were hit by ransomware in the past year. The report examines how the causes and consequences of these attacks have evolved over time.
This year’s edition also sheds new light on previously unexplored areas, including the organizational factors that left retailers exposed and the human toll ransomware takes on retail IT and cybersecurity teams.
Download the report to explore the full findings.
Exploited vulnerabilities, unknown security gaps, and limited expertise underpin the main root causes of attacks
For the third year running, retail victims identified exploited vulnerabilities as the most common technical root cause of attack, used in 30% of incidents.
Multiple organizational factors contribute to retail organizations falling victim to ransomware, with the most common being unknown security gaps named by close to half (46%) of victims. It is followed in very close succession by a lack of expertise, which was a contributing factor in 45% of attacks — the highest rate recorded of any sector surveyed.
Organizational root cause of attacks in retail
Data encryption falls to a five-year low, while thwarted encryption attempts hit a record high
Data encryption in the retail sector has dropped to its lowest level in five years, with fewer than half (48%) of attacks resulting in encryption, down from a peak of 71% in 2023. In line with this trend, the percentage of attacks stopped before encryption reached a five-year high, indicating that retail organizations are strengthening their defenses.
However, adversaries are adapting: the proportion of retailers hit by extortion-only attacks (where data wasn’t encrypted but a ransom was still demanded) has tripled, rising from 2% in 2023 to 6% in 2025.
Data encryption in retail | 2021 – 2025
Rising ransom payment rates and declining backup use signal a shift in retail data recovery strategies
The percentage of retailers paying the ransom to recover data has nearly doubled since 2021 (from 32% to 58% in 2025, well above the 49% cross-sector average). Backup use is at a four-year low, and although still marginally more common than ransom payments, the narrowing gap suggests a greater reliance on multiple/alternative recovery methods.
Recovery of encrypted data in retail | 2021 – 2025
Ransom demands soar, but retailers stand firm
The average (median) ransom demand made to retail organizations has doubled in the past year, reaching $2M in 2025 compared to $1M in 2024. This sharp increase is largely driven by a 59% rise in the proportion of demands exceeding $5M, which grew from 17% in 2024 to 27% in 2025. Despite this, the median ransom payment has increased by just 5%, from $950K in 2024 to $1M in 2025, indicating that retailers are showing greater resistance to inflated demands.
Encouragingly, the average (mean) cost of recovering from a ransomware attack, excluding any ransom payment, has dropped by 40% over the past year to $1.65M, its lowest point in three years.
These trends suggest that, while threat actors are demanding more, retail organizations are becoming more resilient by improving recovery processes and potentially holding firmer in ransom negotiations.
Ransomware attacks place significant pressure on retail IT/cybersecurity teams from senior leadership
The survey makes clear that having data encrypted in a ransomware attack has significant repercussions for IT/cybersecurity teams in the retail sector, with increased pressure from senior leaders cited by close to half (47%) of respondents. Other repercussions include (but are not limited to):
- Increased anxiety or stress about future attacks — cited by 43%.
- Staff absences due to stress/mental health issues — cited by 37%.
- Feelings of guilt that the attack was not stopped — cited by 34%.
Download the full report for more insights into the human and financial impacts of ransomware on the retail sector.
About the survey
The report is based on the findings of an independent, vendor-agnostic survey commissioned by Sophos of 3,400 IT/cybersecurity leaders across 17 countries in the Americas, EMEA, and Asia Pacific, including 361 from the retail sector. All respondents represent organizations with between 100 and 5,000 employees. The survey was conducted by research specialist Vanson Bourne between January and March 2025, and participants were asked to respond based on their experiences over the previous year.
