Ransom Demands Double as Unknown Security Gaps Blamed for Nearly Half of Retail Cyberattacks

The retail sector is facing a severe and complex threat landscape, with nearly half (46%) of all ransomware incidents traced back to an unknown security gap, according to a new report. The findings, published today in the fifth annual Sophos State of Ransomware in Retail report, highlight persistent visibility challenges that cybercriminals are actively exploiting.

The global cybersecurity leader’s report, which surveyed IT and cybersecurity leaders across 16 countries, revealed a sharp escalation in the financial stakes. The median ransom demand doubled to $2 million over the last year, while the average payment increased 5% to $1 million.

This financial pressure is leading to difficult decisions, with 58% of retail victims whose data was encrypted admitting to paying the ransom—the second-highest payment rate recorded in five years.

Despite the rising costs, the report uncovered some signs of progress. Retailers’ defenses appear to be improving, as the percentage of attacks stopped before data could be encrypted reached a five-year high. Consequently, the data encryption rate fell to a five-year low, with only 48% of attacks now resulting in encryption.

However, adversaries are adapting their tactics. As encryption becomes less guaranteed, extortion-only attacks, where data is stolen and a ransom is demanded for its return, without encryption, have tripled, rising from 2% in 2023 to 6% in 2025.

The report’s technical analysis identified exploited known vulnerabilities as the top technical root cause for the third year running, accounting for 30% of attacks. Operationally, after unknown security gaps, a lack of in-house expertise (45%) and gaps in protection coverage (44%) were the most common drivers of compromise, indicating that many retailers struggle to detect and neutralize attacks without the right skills.

Sophos’s threat-hunting team, Sophos X-Ops, has observed nearly 90 distinct threat groups targeting retailers in the past year. The most active groups tracked in incident response cases include Akira, Cl0p, Qilin, PLAY, and Lynx. After ransomware, account compromise and business email compromise (BEC) attacks were the second and third most common incident types.

“Retailers globally are facing a more complex threat landscape where adversaries are constantly on the lookout for and exploiting existing vulnerabilities, most frequently in remote access and internet-facing networking equipment,” said Chester Wisniewski, director, global field CISO at Sophos. “Now, with ransom demands reaching new highs, the need to implement comprehensive security strategies is even more apparent.”

Wisniewski noted that without this, retailers risk “ongoing operational disruption and lasting reputational damage,” but added that many are beginning to respond by investing in their cyber defenses.

This investment is reflected in a 40% drop in the average cost of recovery (excluding the ransom payment), which now stands at $1.65 million, its lowest point in three years. Retailers are also resisting inflated demands; only 29% of organizations said their payment matched the initial demand, with 59% successfully negotiating a lower sum.

The attacks are taking a significant human toll. Almost half (47%) of retail IT and cybersecurity teams reported increased pressure after an encryption incident, and one-quarter (26%) of cases saw leadership teams replaced as a direct result.

Go to TECHTRENDSKE.co.ke for more tech and business news from the African continent.

Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke