More than half of retail organizations affected by ransomware attacks paid the ransom to recover their data, according to a new report from cybersecurity firm Sophos. The 2025 State of Ransomware in Retail report found that 58% of victims with encrypted data chose to pay, one of the highest rates in the past five years.
The report is based on a global survey of 361 IT and cybersecurity leaders. It shows that while only 48% of attacks led to data encryption (a five-year low), ransom demands have grown. The median demand doubled to $2 million, and the average payment rose to $1 million.
Sophos also found that 46% of attacks started from unknown security gaps, making visibility a major concern. Known vulnerabilities remained the top technical cause for the third year in a row.
Retailers continue to be prime targets for ransomware groups like Akira, Cl0p, and PLAY. Extortion-only attacks, where data isn’t encrypted but is threatened to be leaked, have tripled since 2023.
Most retailers didn’t pay the full amount demanded. Only 29% matched the initial ask, while 59% paid less and 11% paid more.
Also Read: PH ranks fourth in global list of countries most targeted by web threats
Sophos recommends stronger endpoint protection, better patching, and 24/7 monitoring to help retailers detect threats early and recover faster.
