Cybersecurity leader, Sophos, in its fifth yearly State of Ransomware in Retail report, a vendor-agnostic survey of IT and cybersecurity leaders across 16 countries, has revealed that nearly half (46 per cent) of retail ransomware incidents were traced to an unknown security gap, underscoring ongoing visibility challenges across the retail attack surface.

Among organisations that had data encrypted, 58 per cent paid the ransom to get their data back – the second highest payment rate in five years.

It revealed that while 46 per cent of attacks began with an unknown security gap (top operational factor, 30 per cent of these attacks exploited known vulnerabilities (top technical root cause, third year running).

Sophos claimed that median ransom demand doubled to $2 million from 2024; average payment increased five per cent to $1 million.

In the past year, the Sophos X-Ops has observed nearly 90 distinct threat groups target one or more retailers with ransomware or extortion across leak sites. The most active groups Sophos has tracked from incident response and MDR cases are Akira, Cl0p, Qilin, PLAY, and Lynx. After ransomware, account compromise was the second most common incident type seen against retailers. And like many industries, retail is a consistent target of business email compromise (BEC) groups seeking to divert payments, which is the third most common incident type.

Director, Global Field CISO, Sophos, Chester Wisniewski, said: “Retailers globally are facing a more complex threat landscape where adversaries are constantly on the lookout for and exploiting existing vulnerabilities, most frequently in remote access and Internet-facing networking equipment. Now, with ransom demands reaching new highs, the need to implement comprehensive security strategies is even more apparent. Without this, retailers risk ongoing operational disruption and lasting reputational damage that could take years to repair. Encouragingly, many are beginning to recognise this and respond by investing in their cyber defences, enabling them to stop attacks before they escalate and recover faster.”

Further, Sophos claimed that limited in-house expertise was the second-most common operational driver of compromise (45 per cent), followed by gaps in protection coverage (44 per cent). It stressed that without the right skills and coverage, retailers struggle to detect and neutralise attacks.

Alongside these challenges, there are also signs of progress. According to Sophos, the percentage of attacks stopped before encryption reached a five-year high, indicating that retail organisations are improving their ability to detect and neutralise attacks swiftly. The data encryption rate is at its lowest level in five years, with only 48 per cent of attacks now resulting in data encryption.

While the average retail ransom payment has risen by five per cent ($1 million in 2025, up from $950k in 2024), the average ransom payment is half the average ransom demand, suggesting that retail organisations are becoming more resistant to inflated ransom demands and are potentially seeking expert advice to navigate ransomware attacks.

“In the end, successful security programmes are focused on risk management. To assess and manage those risks, retailers must have visibility into the threats they face as well as their assets and their security posture. Organisations that combine strong asset management and patching with Managed Detection and Response services and managed risk services prevent more and recover faster, taking a proactive approach in their cyber defences,” Sophos stated.

It further noted that data encryption is falling, but adversaries are adapting, saying that although data encryption rates were at their lowest level in five years, adversaries are adapting as the proportion of retailers hit by extortion-only attacks has tripled, rising from two per cent in 2023 to six per cent in 2025.

Sophos stressed that backup rates are falling. It noted that 62 per cent of retailers, who experienced attacks, restored their data using backups, the lowest rate in four years.

The report revealed that retailers are resisting ransom demands. According to it, looking closely at demands against payments, only 29 per cent of retailers said their payment matched the initial demand. 59 per cent paid less than the initial ask, while 11 per cent paid more.

Based on its experience protecting retail organisations worldwide, Sophos recommended some best practices to help businesses stay ahead of ransomware and other cyber threats.

The firm advised businesses and individuals to take proactive steps to address common technical and operational weaknesses—such as exploited vulnerabilities—that adversaries frequently target.

Sophos recommended that all endpoints, including servers, be protected with dedicated anti-ransomware defences to prevent attacks from gaining a foothold.