Retail enters the holiday season with a dual diagnosis: improved ability to halt encryption, but economic and operational pressures from cybercrime remain high. The report State of Ransomware in Retail 2025 presents IT and cybersecurity teams with a scenario of insufficient visibility, rising no-encryption extortion tactics, and more aggressive ransom demands. All of this occurs within a sector with tight margins and highly distributed operations.
The snapshot, derived from an independent survey of 361 IT and cybersecurity leaders from retail companies across 16 countries (all of which experienced ransomware in the past 12 months), offers data to inform decisions: 46% of attacks began through an unknown security breach; 30% exploited known vulnerabilities (third consecutive year as the primary technical cause); and only 48% ended in data encryption, the minimum of five years. On the flip side, “no-encryption” extortion —threatening to publish stolen information— triples in retail, from 2% to 6%, and the median ransom demand doubles to $2.0 million, while the average payment increases by 5% to $1 million.
A perimeter with blind spots: what’s unseen keeps the door open
The most concerning operational data point is not technical: almost half of incidents (46%) originate from a breach unknown to the organization itself. In an environment with stores, logistics, e-commerce, point-of-sale (POS) terminals, and suppliers, the dispersion of assets and service turnover create “dark corners”: unregistered devices, inherited credentials, remote access with disparate policies, or network equipment lacking telemetry.
The 30% of attacks with a clear technical root exploited known vulnerabilities, indicating that patch management and exposure—especially in remote access, Internet-facing services, and network devices—remains a Achilles’ heel. Additionally, the purchase of access credentials and abuse of identities compound the problem: after ransomware, account compromises are the second most common incident in retail, and BEC (Business Email Compromise) fraud ranks third.
Less encryption, more pressure: adversaries’ shift in tactics
The encryption rate drops to 48%, suggesting earlier detection and containment are improving. However, adversaries don’t give up: they pivot. When encryption fails, they steal data and extort (threatening to publish it), a tactic that triples to 6% over two years. The goal remains the same —enforce payment— but through a different route, using “pressure timers” (fugitive portal countdowns) and messages designed to force a hot decision.
Meanwhile, the criminal market tightens: the median demand rises to $2.0 million; the average payment increases to $1 million (a 5% rise compared to 2024). The “good news” is only 29% of victims who paid received exactly what was demanded; 59% paid less, and 11% paid more. This highlights that negotiating without a solid foundation — reliable backups, legal and forensic support, cyber insurance with protocols — raises the risk and cost.
Resilience indicators: measurable progress… and pending tasks
- Detection before encryption, within five years. Organizations are better at handling the “first bite” of an attack: more anomalous behaviors are detected and automatic responses isolate endpoints timely.
- Faster and cheaper recovery. The average recovery cost (excluding ransom) drops by 40% to $1.65 million, with a minimum of three years. 51% of recoveries happen in ≤ 1 week.
- Backups: improved with real tests. Only 62% restored from copies, requiring a minimum of four years. The key lesson: 3-2-1 backups, versioned, offline/immutable, and tested with a stopwatch.
The human face of attack: pressure, turnover, and team fatigue
Apart from the technical and financial impact, the report quantifies effects on personnel and structures. After an encryption incident, 47% of IT/cybersecurity teams experience increased pressure, and in one out of four cases (26%), leadership is replaced. Stress and sustained workload lead to departures, turnover, and most critically, loss of operational knowledge: precisely what’s needed to learn and improve after an attack.
Threat landscape 2025: nearly 90 groups and mixed TTPs
Threat intelligence teams and MDR providers have identified almost 90 different groups targeting one or more retailers in the past year. Leading the list are well-known names — Akira, Cl0p, Qilin, PLAY, Lynx — but the list evolves rapidly: “new brands” and multimodal campaigns (ransom + exfiltration + BEC) coexist with infection chains recycling vulnerabilities in remote access or unpatched perimeter devices. This means the retail perimeter isn’t just the store’s “wall”: it’s the sum of stores, e-commerce, supplier integrations, API, and SaaS.
Tech guide for media: from detection to reducing MTTR
1) Asset & Exposure First: inventory, prioritize, patch
- Comprehensive inventory (not just CMDB): endpoints, servers, POS, network/security devices, critical SaaS, remote access, and APIs.
- Exposure map: what’s on the Internet (VPNs, dashboards, edge, reverse proxies, network devices), with pending patches/changes and default configurations.
- Prioritization by exploitability: alert on actively exploited and exposed assets; automate where possible (WSUS/Intune, Ansible, etc.).
- Surface telemetry: external attack surface management and configuration drift in stores and locations.
2) Identity and email: 80/20 of many incidents
- MFA by default and conditional access; credential hygiene (rotation, offline storage, PAM for privileges).
- Email security: DMARC, SPF, DKIM, and anti-BEC rules in payment/finance areas; conduct vishing/email bombing simulations (reappearing techniques).
3) Serious endpoint security: EDR/XDR and application control
- EDR/XDR with automatic isolation and rollback capabilities when encryption behavior is detected.
- Allow-listing and kiosk mode on POS, kiosks, and store devices; disabling attack surface prevents initial compromise.
4) Segmentation and movement control
- Microsegmentation or at least VLANs and ACLs between storefront–backoffice–central services; prevent a POS from “seeing” sensitive data.
- DLP/exfiltration monitoring in sensitive repositories and e-commerce; curbs no-encryption extortion.
5) Backups with testing (and timers)
- 3-2-1 backup rule with immutability and offline backups; automate verification.
- Timed restorations of critical systems (ERP, e-commerce, inventory). Document RTO/RPO and gaps.
6) 24/7 or MDR: because ransomware never sleeps
- Teams without permanent shifts should hire MDR with SLA response times and proactive threat hunting; measure MTTD reduction in weeks.
- Crisis board: define roles (technical, legal, business), decision trees (when to involve forensics, authorities, PR), and templates.
Key metrics (understood by the board)
- MTTD/MTTR per domain (stores, logistics, e-commerce, payments).
- Encryption rate versus early containment rate; goal: making 48% just the start.
- Backup restore rate (with real testing).
- Recovery cost (excluding ransom) versus sector benchmark ($1.65 million).
- Week 1: percentage of critical services operational within ≤ 7 days (target: ≥ 51%).
- Exposure: critical assets with exploitable vulnerabilities and exposure days.
Frequently Asked Questions
Why is encryption decreasing while economic pressure rises?
Because attackers adapt: when encryption becomes less effective (better detection/containment), they exfiltrate and extort by threatening to publish data. Encryption drops to 48%, but no-encryption extortion rises to 6%, and the median ransom doubles to $2 million. The goal is to force payment through another route.
Is paying the ransom worth it if I have backups?
The report shows that 58% of victims of encryption paid; only 62% could restore from backup (minimum four years). If your backups aren’t tested or your RTO window is unfeasible, business pressure pushes to pay. The sustainable solution is 3-2-1 backups with real testing, EDR/XDR, and 24/7 MDR to avoid reaching that point.
What TTPs should I prioritize in defending a retail chain?
Focus on exposure and remote access, identity (MFA/conditional), email (anti-BEC), EDR/XDR with isolation, segmentation between store–backoffice–corporate, and unified telemetry. These levers most effectively reduce MTTD/MTTR and limit the blast radius.
How can I measure ROI on MDR and unseen patch investments?
Use comparable data: average recovery cost (target: ≤ $1.65M for retail), detection and resolution times, exposure days per asset, early containment rate, and week 1 operational recovery. Investment in “invisible” controls pays off when minutes are saved and costs are lowered.
via: Ramsonware in retail