Some 361 retail respondents have cited improved cyber resilience with fewer attacks encrypting data, and faster recovery in 2024/2025.

Based on a Jan – Mar 2025 vendor-agnostic survey of 361 retail IT and cybersecurity leaders from organizations with 100 to 5,000 employees across 16 countries on ransomware incidents up to 12 months prior, one cybersecurity firm has shared some findings among retailers with the media.

First, 46% of retail ransomware incidents in the survey were traced by respondents to an unknown security gap at the time of the attack.

Second, 58% of respondents who had witnessed data encryption in ransomware incidents had indicated their organizations had paid the ransom^ to recover their data.

Other findings
Third, 30% of attacks experienced by respondents were found to have exploited known vulnerabilities, cited as the leading technical root cause in similar surveys* commissioned by the same firm. Also:

  • 48% of respondents cited that ransomware attacks resulted in data encryption, a rate that is lower than that reported in the last five years of surveys by the cybersecurity firm.
  • The median ransom demand was US$2m, while the average ransom payment was US$1m.
  • 62% of respondents reported restoring data from backups following an attack, marking the lowest backup usage rate in four years.
  • Among respondents that had cited their organizations caving in to ransom demands, 29% indicated the ransom amount paid matched the initial demand, while 59% had paid less, and 11% had reported paying more.
  • Respondents’ estimates put the average cost of recovery from attacks (excluding ransom payments) had fallen 40% over three years to reach US$1.65m, compared to higher sums in three previous yearly surveys* by the same cybersecurity firm.
  • 47% of IT and cybersecurity teams among the respondents had reported increased pressure following data encryption events, and 26% of respondents had noted leadership team replacements after incidents.

According to Chester Wisniewski, Director/Global field CISO, Sophos, the firm that has been commissioning the yearly cyber survey of global retail industries, “retailers must have visibility into the threats they face, as well as their assets and their security posture,” and that retailers that combine strong asset management and patching with well-managed cyber risk management services likely “prevent more and recover faster.”

*Readers should note the limitations of comparing survey data across time for “year-over-year juxtaposition” that require full disclosure of every year’s methodological parameters

^ Ransom payment options are influenced not only by technical and operational factors but also by jurisdictional legal frameworks in the countries involved in the survey: Australia, Belgium, Brazil, Canada, China, France, Germany, Italy, Japan, Netherlands, Singapore, Spain, Sweden, the United Arab Emirates, the UK and the US