OXFORD, U.K. — novembre 4, 2025 —

Sophos, a global leader of innovative security solutions for defeating cyberattacks, today released its fifth annual Sophos State of Ransomware in Retail report, a vendor-agnostic survey of IT and cybersecurity leaders across 16 countries. This year’s report reveals that nearly half (46%) of retail ransomware incidents were traced to an unknown security gap, underscoring ongoing visibility challenges across the retail attack surface. Among organizations that had data encrypted, 58% paid the ransom to get their data back – the second highest payment rate in five years.

Key Findings from the report

  • 46% of attacks began with an unknown security gap (top operational factor)
  • 30% of attacks exploited known vulnerabilities (top technical root cause, third year running)
  • 58% of victims with encrypted data paid; 48% of attacks resulted in encryption (five-year low)
  • Median ransom demand doubled to $2 million from 2024; average payment increased 5% to $1 million

What Sophos is Seeing in Retail

In the past year, the Sophos X-Ops has observed nearly 90 distinct threat groups target one or more retailers with ransomware or extortion across leak sites. The most active groups Sophos has tracked from incident response and MDR cases are Akira, Cl0p, Qilin, PLAY, and Lynx. After ransomware, account compromise was the second most common incident type seen against retailers. And like many industries, retail is a consistent target of business email compromise (BEC) groups seeking to divert payments, which is the third most common incident type.

“Retailers globally are facing a more complex threat landscape where adversaries are constantly on the lookout for and exploiting existing vulnerabilities, most frequently in remote access and internet facing networking equipment. Now, with ransom demands reaching new highs, the need to implement comprehensive security strategies is even more apparent. Without this, retailers risk ongoing operational disruption and lasting reputational damage that could take years to repair. Encouragingly, many are beginning to recognize this and respond by investing in their cyber defenses, enabling them to stop attacks before they escalate and recover faster,”says Chester Wisniewski, director, global field CISO, Sophos.

Limited in-house expertise was the second-most common operational driver of compromise (45%), followed by gaps in protection coverage (44%). Without the right skills and coverage, retailers struggle todetect and neutralize attacks.

Alongside these challenges, there are also signs of progress. The percentage of attacks stopped before encryption reached a five-year high, indicating that retail organizations are improving their ability to detect and neutralize attacks swiftly.The data encryption rate is at its lowest level in five years, with only 48% of attacks now resulting in data encryption.

While the average retail ransom payment has risen by 5% ($1m in 2025, up from $950k in 2024), the average ransom payment is half the average ransom demand, suggesting that retail organizations are becoming more resistant to inflated ransom demands and are potentially seeking expert advice to navigate ransomware attacks.

“In the end, successful security programs are focused on risk management. To assess and manage those risks, retailers must have visibility into the threats they face as well as their assets and their security posture. Organizations that combine strong asset management and patching with Managed Detection and Response services and managed risk services prevent more and recover faster, taking a proactive approach in their cyber defenses.”

According to the State of Ransomware in Retail report 2025

  • Data encryption is falling, but adversaries are adapting: Although data encryption rates were at their lowest level in five years, adversaries are adapting as the proportion of retailers hit by extortion-only attacks has tripled, rising from 2% in 2023 to 6% in 2025.
  • Backup rates are falling: 62% of retailers who experienced attacks restored their data using backups, the lowest rate in four years.
  • Retailers are resisting ransom demands: Looking closely at demands vs. payments, only 29% of retailers said their payment matched the initial demand. 59% paid less than the initial ask, while 11% paid more.
  • Recovery costs are on the decline: Encouragingly, the average (mean) cost of recovering from a ransomware attack, excluding any ransom payment, has dropped by 40% over the past year to $1.65M, its lowest point in three years.
  • Ransomware attacks directly impacted teams: Almost half (47%) of retail IT/cybersecurity teams reported increased pressure after experiencing data encryption, while one quarter of cases (26%) saw leadership teams replaced as a result.

Strengthening Defenses for the Long Term

Based on its experience protecting retail organizations worldwide, Sophos recommends the following best practices to help businesses stay ahead of ransomware and other cyberthreats:

  • Eliminate Root Causes: Take proactive steps to address common technical and operational weaknesses—such as exploited vulnerabilities—that adversaries frequently target. Solutions like Sophos Managed Risk can help organizations assess their exposure and reduce risk across their environments.
  • Defend Every Endpoint: Ensure all endpoints, including servers, are protected with dedicated anti-ransomware defenses to prevent attacks from gaining a foothold.
  • Plan and Prepare: Establish and routinely test a comprehensive incident response plan. Maintain reliable backups and practice data restoration regularly to minimize downtime in the event of an attack.
  • Monitor Around the Clock: Continuous visibility is essential. Organizations without in-house resources can strengthen their resilience by partnering with a trusted Managed Detection and Response (MDR) provider for 24/7 threat monitoring and expert response.

Methodology

Data for the State of Ransomware in Retail 2025 report comes from a vendor-agnostic survey of 361 retail IT and cybersecurity leaders in organizations with 100-5,000 employees across 16 countries, conducted January – March 2025. All respondents experienced ransomware in the previous 12 months. Sophos will be releasing additional industry findings throughout the year.

Download the full State of Ransomware in Retail 2025 report on Sophos.com.

Learn how MDR can neutralize attacks like ransomware in real-time by registering for the webinar Behind the Shield: Real-World Stories of Thwarted Ransomware Attacks on Sophos.com.

Learn More About

Data for the State of Ransomware in Retail 2025 report comes from a vendor-agnostic survey of 361 retail respondents. The organizations surveyed ranged from 100 – 5,000 employees and across 16 countries. The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months.

À propos de Sophos

Sophos est un leader mondial de la cybersécurité qui protège 600000organisations à travers le monde grâce à une plateforme optimisée par l’IA et à des services fournis par des experts. Sophos accompagne les entreprises, quel que soit leur niveau de maturité en matière de cybersécurité, et évolue avec elles pour déjouer les cyberattaques. Ses solutions offrent une combinaison optimale entre apprentissage automatique, automatisation et renseignements sur les menaces en temps réel, à laquelle s’ajoute l’expertise humaine de l’équipe Sophos X-Ops, qui travaille en première ligne pour assurer la surveillance, la détection et la réponse aux menaces 24h/24 et 7j/7.
Sophos propose des services managés de détection et de réponse (MDR) de pointe, ainsi qu’un portefeuille complet de technologies de cybersécurité, parmi lesquelles des solutions de sécurité Endpoint, réseau, email et cloud, ainsi que des solutions de détection et de réponse étendues (XDR), de détection et de réponse aux menaces liées à l’identité (ITDR) et de SIEM de nouvelle génération. Associées à des services de conseil spécialisés, ces capacités aident les entreprises à réduire leurs risques de manière proactive et à répondre plus rapidement, tout en bénéficiant de la visibilité et de l’évolutivité nécessaires pour garder une longueur d’avance sur les menaces en constante évolution.
Sophos commercialise ses produits via un écosystème mondial de partenaires, comprenant des fournisseurs de services managés (MSP), des fournisseurs de services de sécurité managés (MSSP), des revendeurs et distributeurs, une marketplace d’intégrations et des partenaires spécialisés dans les cyber risques. Cette stratégie offre aux entreprises la flexibilité nécessaire pour choisir des partenaires de confiance pour protéger leurs opérations.  Le siège de l’entreprise est basé à Oxford, au Royaume-Uni. Plus d’informations sont disponibles sur www.sophos.fr.