X-Industry

Ransom Demands Increasing

Posted by Jim McKee on November 19, 2025 at 12:00pm

30999070864?profile=RESIZE_400xSecurity solutions firm Sophos has released its fifth annual Sophos State of Ransomware in Retail report.  The report, which surveyed IT and cybersecurity leaders across 16 countries, reveals alarming trends in ransomware incidents affecting the retail sector.  The report highlights that nearly half (46%) of retail ransomware incidents were traced back to an unknown security gap, indicating significant visibility challenges within the retail attack surface.[1]

Among organizations that experienced data encryption, more than half paid the ransom to recover their data, marking the second-highest payment rate in five years.

  • 58% of victims with encrypted data paid the ransom, while 48% of attacks resulted in encryption, a five-year low.
  • 46% of attacks began with an unknown security gap, the top operational factor.
  • 30% of attacks exploited known vulnerabilities, the top technical root cause for the third consecutive year.

The median ransom demand doubled to $2 million from 2024, and the average payment increased by 5% to $1 million.  Over the past year, the Sophos X-Ops research unit observed nearly 90 distinct threat groups targeting retailers with ransomware or extortion across leak sites.  The most active groups identified through incident response and Managed Detection and Response (MDR) cases include Akira, Cl0p, Qilin, PLAY, and Lynx.  Following ransomware, account compromise and business email compromise (BEC) were the second and third-most-common incident types, respectively.

Chester Wisniewski, director, global field CISO at Sophos, stated, "Retailers globally are facing a more complex threat landscape where adversaries are constantly on the lookout for and exploiting existing vulnerabilities, most frequently in remote access and internet-facing networking equipment.  Now, with ransom demands reaching new highs, the need to implement comprehensive security strategies is even more apparent."

Limited in-house expertise (45%) and gaps in protection coverage (44%) were identified as significant operational drivers of compromise.  There are signs of progress; the percentage of attacks stopped before encryption reached a five-year high, suggesting improved detection and neutralization capabilities among retail organizations.

Despite the average ransom payment rising by 5% to $1 million in 2025, it remains half the average ransom demand, indicating a growing resistance to inflated demands and a potential increase in seeking expert advice.

The report notes that while data encryption rates are at their lowest in five years, adversaries are adapting, with the proportion of retailers hit by extortion-only attacks tripling from 2% in 2023 to 6% in 2025.  Additionally, only 62% of retailers who experienced attacks restored their data using backups, the lowest rate in four years.

Only 29% of retailers paid the initially demanded amount, with 59% paying less and 11% paying more.  Encouragingly, the average cost of recovering from a ransomware attack, excluding ransom payments, has dropped by 40% over the past year to $1.65 million, the lowest in three years.

Ransomware attacks have had a direct impact on retail teams, with 47% of IT/cybersecurity teams reporting increased pressure after experiencing data encryption.  Additionally, in 26% of cases, leadership teams were replaced because of these incidents.

Sophos recommends several best practices for retailers to stay ahead of ransomware and other cyberthreats:

  • Eliminate Root Causes: Address common technical and operational weaknesses, such as exploited vulnerabilities, through solutions like Sophos Managed Risk.
  • Defend Every Endpoint: Protect all endpoints, including servers, with dedicated anti-ransomware defenses.
  • Plan and Prepare: Establish and regularly test a comprehensive incident response plan, maintain reliable backups, and practice data restoration.
  • Monitor Around the Clock: Ensure continuous visibility by partnering with a trusted MDR provider for 24/7 threat monitoring and expert response.

These measures are crucial for retailers to manage risks effectively and enhance their cybersecurity posture in an increasingly challenging threat landscape.

 

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

 

[1] https://www.cybersecurityintelligence.com/blog/ransom-demands-double-as-retailers-struggle-with-the-challenge-8853.html

Views: 7
Tags: tr-25-319-003, sophos, ransomware, ciso, mdr
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!