Ransomware remains one of the biggest operational risks for retailers, but the latest data shows a shift in how these attacks unfold. Fewer incidents now lead to data encryption, recovery costs have dropped, and businesses are bouncing back faster. Yet attackers are demanding more money, and security teams are feeling the strain.
These findings come from the State of Ransomware in Retail 2025 report by Sophos, based on a global survey of 361 retail IT and cybersecurity leaders whose organizations were hit by ransomware in the past year. The results point to progress in resilience but also show where retail security programs still fall short.
Exploited vulnerabilities still lead the way
Exploited vulnerabilities remain the top technical entry point for attackers, cited in about a third of incidents. Compromised credentials and phishing followed closely.
Respondents also blamed organizational weaknesses. Nearly half said their company had an unknown security gap, and a similar share pointed to limited in-house expertise. Others said they lacked the right protection tools. The findings suggest that retailers face layered challenges involving both technology and people, not just software flaws.
Why do you think your organization fell victim to the ransomware attack? (Source: Sophos)
Fewer encryptions, more extortion
The share of ransomware attacks that successfully encrypted data fell to 48%, the lowest level in five years. This suggests that detection and response capabilities are improving.
At the same time, criminals are adopting new pressure tactics. Extortion-only attacks, where data is not encrypted but victims are still forced to pay, have increased. Data theft also remains a steady concern. Among those whose data was encrypted, 29% said information was also stolen.
While encryption rates are improving, the rise in exfiltration and extortion means retailers cannot take much comfort from the lower numbers.
Demands double, payments hold steady
Ransom demands have doubled year over year, reaching a median of two million dollars. Despite that increase, the median payment rose only slightly to one million dollars, suggesting that companies are resisting inflated demands or negotiating lower settlements.
On average, retail victims paid about 81% of what was demanded, down from 85% a year earlier. Most said they paid less than the original demand.
Nearly all organizations that lost data were able to recover it through backups, payments, or other methods. Backup use has dipped slightly, but retailers still rank among the industries most likely to rely on them.
“Now, with ransom demands reaching new highs, the need to implement comprehensive security strategies is even more apparent. Without this, retailers risk ongoing operational disruption and lasting reputational damage that could take years to repair. Encouragingly, many are beginning to recognize this and respond by investing in their cyber defenses, enabling them to stop attacks before they escalate and recover faster,” says Chester Wisniewski, director, global field CISO, Sophos.
Recovery costs drop
The average cost to recover from ransomware, excluding ransom payments, fell by about 40% from the previous year to roughly 1.6 million dollars, the lowest in three years.
Recovery speed has improved as well. About half of retail organizations were back to normal within a week, and most recovered within three months. These improvements suggest that investments in response planning and recovery processes are delivering results.
Still, the financial burden remains significant. Even when ransom payments are avoided, downtime, staff hours, and repair costs continue to accumulate.
The human cost of attacks
Every retailer affected by encryption reported consequences for its IT or security team. Nearly half said senior leadership pressure increased. Many also cited higher stress, heavier workloads, and internal changes after an incident.
About one in four teams saw leadership replaced following a ransomware event. A similar share reported staff absences linked to stress or mental health issues. These findings show that ransomware is not only a technical issue but also a human one that can reshape teams long after systems are restored.