At the same time, the encryption rate is at a five-year low (48%) and recovery costs are decreasing. The common thread: visibility of the attack surface and basic hygiene lag behind – precisely where attackers gain access. In practice, the playing field shifts from 'just encryption' to a mix of encryption and exfiltration, with more pressure on decision-making. This article outlines the figures, causes, and measures, focusing on what works for retail organizations against ransomware in retail.

The playing field in numbers

The numbers tell a shifting story. Retail is less often completely 'locked down', but the game shifts to pressure through data leaks and reputation – this increase in retail aligns with the increase in ransomware attack attempts in other sectors. At the same time, demands are rising faster than actual payments, while recovery is becoming faster and cheaper on average – provided visibility, patching, and basic security are in order. See the main points below; they place the later recommendations in context:
 

• Technical root cause (3rd year in a row): exploited vulnerabilities (30%). 
• Operational #1 issue: unknown security gaps (46%), followed by lack of expertise (45%) and gaps in protection (44%). 
• Data outcome: 48% of attacks lead to encryption (lowest in 5 years). 
• Exfiltration: in 29% of encryption cases, data has also been exfiltrated. 
• Recovery: 98% eventually recover; backups used in 62% (lowest in 4 years). 
• Demands vs. payments: median demand $2M, median payment $1M (+5% y/y); 29% pay exactly the demand, 59% less, 11% more. 
• Business impact: recovery costs decrease 40% to $1.65M; 51% recover within a week.

In short: the attack pressure shifts from 'just encryption' to 'encryption + exfiltration', while the defense side mainly wins where visibility and response speed improve. 

Data map 

To quickly see where the pain and progress lies, we bundle the key figures in one glance. Read this map as a dashboard with three blocks: causes → data outcomes → financial pressure & recovery. We present them in this order from top to bottom.

Data map – ransomware in retail in 8 figures
 

• 46% unknown security gaps
• 30% exploited vulnerabilities
• 48% encryption outcome
• 29% exfiltration
• $2M median ransom demand
• 58% pays
• 62% recovery via backups
• $1.65M recovery costs

 Tip for the reader: use these eight values as a 'quick sanity check' on your own posture – particularly note the combination of unknown leaks (46%) ↔ patch priority and the declining role of backups (62%) in recovery.

For a broader threat landscape from the past year – from AI-driven attacks to ransomware, IoT risks, and data leaks – see Cyber threats in 2025: what entrepreneurs need to know.

Where does it go wrong? 

Behind most retail incidents are two layers at once: a technical window and an operational gap. Vulnerabilities remain the primary technical access point. Publicly accessible systems and appliances (VPN, RMM, remote access) still form the first breaking point. Additionally, the access pattern is shifting: compromised accounts (26%) and phishing (23%) are gaining ground. The core is known, but often incompletely secured: patching, identity, email, and strictly managed external access. 

Operationally, organizations rarely report a single cause; it is about stacking. Without an up-to-date asset overview, priorities remain diffuse, and 'unknown gaps' persist. At the top is the lack of visibility into weak spots (46%). This is exacerbated by skills/capacity shortages (45%) and gaps in protection coverage (44%). This combination slows discovery, prioritization, and mitigation precisely where the pace needs to be highest. 

What happens to the data? 

The data phase is increasingly the real pressure point. Data encryption is decreasing (48%), but criminals compensate with data exfiltration (29% in encryption cases). This creates pressure to pay, even if recovery seems possible. At the same time, reliance on backups is decreasing (62%), indicating practical barriers during recovery: authorizations, dependencies between systems, integrity checks, and – especially – insufficiently practiced restores. Without a demonstrable, tested recovery path, the 'payment reflex' grows. Those who cannot demonstrate a clear RTO/RPO feel pressure to yield more quickly in practice. 

Why does 58% still pay? 

Payment behavior is rarely technical; it is organizational and time-critical. The median of the demand ($2M) and the payment ($1M) varies, indicating a more assertive crisis approach and negotiations. Yet a majority still pays. Causes: downtime pressure, uncertainty about exfiltration/data leaks, contractual obligations towards customers/suppliers, and doubts about recovery speed. Pre-arranged governance makes the difference here: decision criteria, roles, and communication lines established before a crisis, plus threshold values for decision-making (who can approve what, when, under what conditions).

The role of cyber insurance in incident costs, conditions around ransom, and requirements for your security level will be discussed in The necessity and usefulness of cyber insurance: worth investigating.

Mini-table: demands vs. payments:

Impact on teams and management

Ransomware is not just technology, but also organizational science. Decision-making and communication under time pressure determine the damage in the first 24-72 hours. After encryption, 47% of retail IT/security teams experience more pressure from leadership; in 26% of cases, team leadership is replaced. This requires a practiced incident response process, clear authorities, and psychological safety in the crisis team. Document who speaks (CIO/CISO/PR/legal) and who acts (IR/SOC) – and practice that rhythm. Practicing is not a nice-to-have but a prerequisite. 

Who is behind the ransomware in retail?

The names differ with each wave, but the tactics are remarkably consistent. In the past year, nearly 90 different groups have targeted retailers via leak sites (ransomware or pure extortion). Names that frequently recur: Akira, Cl0p, Qilin, PLAY, and Lynx. In addition to ransomware, account compromise and Business Email Compromise (BEC) remain prominent. The common denominator: identity and financial process management remain attractive targets, as does anything accessible from the internet.

Why SMEs and retail companies are so attractive as targets – and how penetration testing helps you stay ahead of your weak spots – is explained in Why hackers increasingly attack SMEs and how you defend yourself.

From reactive to proactive: 8 measures that work against ransomware in retail

This set is directly linked to the pain points from the figures (unknown gaps 46%, exploited vulnerabilities 30%, identity & recovery) and remains vendor-agnostic and technically concrete. 

1) Continuous insight into your attack surface (EASM/ASM)

 Map all internet-exposed assets (including shadow IT, RMM, remote access, web apps, and third-party integrations). Link ownership and recovery SLAs to risk classes (e.g., 'critical internet-exposed': 24-72 hours). This directly addresses the unknown gaps (46%). 

2) Patching & hardening with risk prioritization

 Start with externally reachable, actively exploited vulnerabilities. Automate where possible; document exceptions with compensatory controls (WAF, network ACL, feature toggles). This addresses the #1 technical cause (30%). 

3) Identity-first security

 Require MFA (preferably phishing-resistant) for administrators and remote access, minimize local admin rights, apply Just-in-Time/Just-Enough and monitor for login anomalies. This reduces the risk of compromised credentials (26%). 

4) Email security & measurable awareness

 Combine advanced filtering/sandboxing with DMARC/DKIM/SPF policies. Link awareness training to KPIs (report rate, time to remediate) to reduce the share of phishing (23%) as the initial vector.

Do you want to translate these measures into concrete training, scans, and a practical program for SME entrepreneurs? Read How to increase the cyber resilience of your SME.

5) Network access and remote tooling on a diet

 Close or isolate RDP externally, segment management channels, link remote tooling (RMM/IT support) to MFA and allowlists, and log management actions centrally. Minimize the number of paths through which privilege escalation can occur. 

6) Organize 24/7 detection and response

 Threats peak outside office hours; EDR/MDR or a mature SOC function is necessary to see and stop lateral movement and exfiltration outside office hours. Establish 'authority to act', containment guidelines, and escalation triggers – including coordination with legal and communication.

Who in your organization is the 'first cyber responder' and how to set up that role will be elaborated in The CHV'er: strengthen your digital resilience.

7) Backups that can withstand pressure

 Immutable/offline, encrypted, and segmented, with regular recovery tests to application level. Goal: demonstrable RTO/RPO, so you pay less quickly when the pressure rises. The drop in recovery via backups to 62% underscores that many environments are still vulnerable here. 

8) Practice incident response with realistic scenarios

 Simulate encryption with and without exfiltration, supply chain impact, and customer communication. Document in advance when you start negotiations and when you do not, what you can make public, and how you report to regulators. This shortens recovery time (51% within a week) and reduces recovery costs (average $1.65M, −40% y/y).

Do you want to further elaborate on the human and process side of an attack, with examples of reporting channels, playbooks, and tabletop exercises for crisis teams? Read Preparation for a cyber attack: from alert to action.

Conclusion

The figures show two movements in the area of ransomware in retail: defense works better (less encryption, faster and cheaper recovery), but criminals are asking for more and pressing harder. The strategic choice is therefore 'verify & recover' over 'discussing ransom'. The way out is not a silver bullet, but consistent organization: continuous visibility of your attack surface, risk-driven patching and hardening, identity and email security at the right level, 24/7 detection, and a practiced recovery and decision-making process. Those who have that in order pay less quickly and recover faster – even as demands continue to rise.

Do you fall (soon) under NIS2 and want supply chain security to be more than just paper? In What does supply chain security mean for NIS2? we delve deeper into realistic requirements for suppliers and how to avoid false security.

Methodology

The research on ransomware in retail is based on The State of Ransomware in Retail 2025: independent, vendor-agnostic research by Sophos among 361 IT and security leaders in 16 countries (Jan-Mar 2025). Amounts in USD.