Sophos Report Reveals That Unknown Security Gaps Are Now Costing Retailers Millions
The retail sector has long been a prime target for cybercriminals. Still, the latest data from the Sophos State of Ransomware in Retail 2025 report reveals that the threat landscape is worsening, driven by both technical flaws and an alarming lack of security visibility.
The headline figure is stark: 58% of retailers whose data was encrypted ultimately paid the ransom, the second-highest payment rate in five years. Even more concerning, the median ransom demand has doubled to $2 million since last year.
Why are retailers continuing to pay, even as costs spiral? The report points to critical failures in both operations and defense:
- Unknown Security Gaps (46% of Attacks): Nearly half of all ransomware attacks were traced back to a security gap the organization was unaware existed. This underscores a severe challenge in asset management and comprehensive visibility across the modern retail attack surface, which often includes complex remote access and internet-facing equipment.
- Limited In-House Expertise (45% of Compromises): A persistent lack of internal skills is the second most common operational driver, preventing retail teams from effectively detecting and neutralizing sophisticated threats like Akira, Cl0p, and Qilin.
As Chester Wisniewski, director, global field CISO, Sophos, warns, “Without this, retailers risk ongoing operational disruption and lasting reputational damage that could take years to repair.”
While the figures are sobering, the report does contain glimmers of progress:
- The percentage of attacks stopped before encryption hit a five-year high, suggesting improved detection capabilities.
- Retailers are showing resistance to demands: 59% of victims who paid negotiated down the initial request.
- The mean cost of recovery (excluding the ransom) has dropped by 40% to $1.65 million, its lowest point in three years.
However, adversaries are adapting. Even as encryption rates fall, the proportion of retailers hit by extortion-only attacks where data is stolen but not locked has tripled, ensuring that financial pressure remains high.
For executive leaders, the solution lies in transitioning to a proactive, risk-management focus:
- Prioritize Visibility and Remediation: Combine strong asset management and patching with specialized services like Sophos Managed Risk to eliminate the unknown technical weaknesses that drive nearly half of all attacks.
- Ensure 24/7 Coverage: Organizations lacking the in-house expertise, 45% struggle with this; they must partner with Managed Detection and Response (MDR) services to ensure continuous, expert threat monitoring and rapid response.
- Plan for the Worst: Routinely test a comprehensive incident response plan and maintain reliable backups. The recovery cost drop suggests that prepared organizations recover faster and suffer less overall damage.
Successful security programs focus on risk management. By combining strong governance with outsourced expertise, retailers can move beyond simply paying ransoms and transform their cyber defenses into a proactive shield.
