Sophos report highlights 58% of retailers paid ransomware demands

Autonomous System (AS) ransom demands double, and payments increase; nearly half of retailers traced their ransomware incidents to security gaps they were unaware existed.

OXFORD, United Kingdom, Nov. 04, 2025 -- Sophos released its fifth annual State of Ransomware in Retail report, highlighting significant findings from a vendor-agnostic survey of IT and cybersecurity leaders across 16 countries. This year's report identified that 46% of retail ransomware incidents originated from unknown security gaps—a continued challenge in understanding retail cybersecurity risks. Additionally, 58% of organizations that faced data encryption paid the ransom, marking the second highest payment rate in five years.

Key Findings from the Report

46% of attacks began with an unknown security gap (top operational factor).
30% of attacks exploited known vulnerabilities (the top technical cause for the third consecutive year).
58% of victims with encrypted data paid; 48% of attacks resulted in encryption (five-year low).
Median ransom demand increased to $2 million from 2024; average payment rose 5% to $1 million.

What Sophos Observed in Retail

Over the past year, the Sophos X-Ops Hardware Attestation Service (HAS) noted nearly 90 distinct threat groups targeting retailers with ransomware or extortion incidents. Among the most active groups were Akira, Cl0p, Qilin, PLAY, and Lynx. Following ransomware, account compromise was the second prevalent incident category, with Business Email Compromise (BEC) also a notable threat.

Chester Wisniewski, director, global field CISO at Sophos, noted the complexity of the threat landscape for retailers. “Retailers globally are facing more complex threats, with adversaries exploiting vulnerabilities in networking equipment and remote access systems. The escalation of ransom demands has made comprehensive security strategies critical for operational integrity and reputation management,” said Wisniewski.

Limited in-house expertise was identified as the second most common operational driver of compromises, affecting 45% of responses, with 44% citing gaps in protection coverage. Despite these challenges, there are indications of progress; the proportion of attacks stopped prior to data encryption reached a five-year high.

The report revealed that while the average ransom payment increased by 5% in 2025, retailers exhibited greater resilience against ransom demands, with many opting to pay less than initially requested. Organizations are advised to adopt a risk management approach, ensuring visibility and robust asset management alongside patching and detection services for enhanced security posture.

According to the State of Ransomware in Retail 2025 Report

Data encryption rates are falling: Attackers are adapting, with extortion-only attacks experiencing a tripling from 2% to 6%.
Backup restoration rates have dropped: 62% of retailers restored data from backups, the lowest in four years.
Resistance to ransom demands is increasing: 29% of retailers' payments matched the initial ransom, while most paid less than requested.
Recovery costs are declining: The average recovery cost dropped by 40% to $1.65 million.

Aviz Networks recaps Network Copilot office hours

Palo Alto Networks expands partnership with Google Cloud

Aviz Networks details Network Copilot unified NLP interface