Estimated reading time: 4 minutes
Retail ransomware attacks have been in the news. Co-op’s shutdown exposed a coverage gap; it carried no cyber insurance. Marks & Spencer, insured, saw its statutory profit plunge 99% to £3.4m and received £100m in insurance payments. Sam’s Club (Walmart), Victoria’s Secret, Dollar Tree, the list could go on. Sophos’ new report, “State of Ransomware in Retail 2025,” lands amid this fallout. It finds median demands of $2 million, 58% paying, and 46% traced to unknown gaps.
Visibility Gaps Still Open Doors
Sophos finds that unknown security gaps sparked 46% of retail incidents. Limited in-house expertise contributed to 45% of cases. Gaps in protection influenced 44% of attacks. These operational drivers compound technical flaws across sprawling store networks and suppliers.
For the third straight year, exploited vulnerabilities led as the top technical root cause at 30%. Attackers still hammer remote access and edge devices. Email threats and credential theft remain stubborn vectors.
“Adversaries are constantly exploiting existing vulnerabilities, especially in remote access and internet-facing equipment.” That warning, paired with calls for comprehensive defenses, frames the sector’s challenge this year.
Ransom Demands Double; Payments Edge Up Slightly
Median ransom demands doubled to $2 million in 2025. The share of demands above $5 million rose sharply. Yet the median payment increased only 5% to $1 million. Retailers paid about 81% of what attackers initially demanded—many negotiated reductions.
Only 29% matched the first demand. 59% paid less, while 11% paid more. Several cited third-party negotiation and “discounts” from attackers for quick payment. Media or law enforcement pressure also moved the number.
Encryption Falls; Extortion-Only Attacks Rise
Data encryption fell to a five-year low, accounting for 48% of retail attacks. In 2023, it peaked at 71%. Retailers are stopping more attacks before encryption triggers.
Attackers adjusted. Extortion-only attacks tripled to 6%. Adversaries threaten to leak stolen data even when encryption fails. Data exfiltration hit 29% of cases with encryption.
“Data encryption is at its lowest level in five years.” The report credits earlier detection, stronger rollback, and better containment.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
Backups Slip; Recovery Still Improves
98% of retailers with encrypted data recovered it. 62% restored from backups, the lowest rate in four years. 58% paid to get data back, the second-highest payment rate in five years. Many used multiple recovery methods, including both backups and decryption keys.
Average recovery cost fell 40% to $1.65 million, excluding any ransom. Faster recovery showed up in timelines. 51% fully recovered within a week, up from 46%.
Human Pressure Spikes After Encryption
Teams felt the heat. 47% reported increased pressure from leaders. 43% cited higher stress and ongoing workload. 37% reported stress-related absences. 26% saw leadership changes. These numbers confirm the human cost behind each store reopening.
Insurance Shapes Outcomes in Retail
Retailers with Ransomware Cyber Insurance tapped rapid incident response, legal guidance, and negotiation support. Marks & Spencer’s insured posture aligned with faster service restoration. Coop, uninsured at the time of its recent attack, faced slower and costlier recovery. Insurance requirements now push stronger controls, patching, EDR, and 24/7 monitoring.
Insurers also scrutinize readiness. Carriers expect tested backups, segmented access, and multi-factor authentication. Weak controls can raise premiums or restrict coverage. That feedback loop encourages resilience before an attack lands.
Watch Our Podcast – Ransomware Response: Expert Negotiation and Cyber Insurance
Threat Actors Keep Up the Pressure
Sophos X-Ops tracked nearly 90 ransomware or extortion groups targeting retailers across leak sites. High-tempo actors included Akira, Cl0p, Qilin, PLAY, and Lynx. After ransomware, account compromise ranked second. Business email compromise followed closely. These patterns match strong incentives around payment flows and exposed third-party connections.
What the Report Suggests Now
Sophos recommends four priorities: prevention, protection, detection and response, and planning. Teams should remove root causes, defend every endpoint, test incident plans, and monitor continuously. “Organizations that combine strong asset management and patching with MDR prevent more and recover faster.”
Related Ransomware Cyber Insurance Posts
