CYBERSECURITY | Global retail faces record-high ransom demands as cyber threats evolve
Nearly half of retail ransomware incidents—46 percent—were traced to security gaps organizations were unaware of.
Source: TechSabado.com file photo
Retailers around the world continue to be prime targets for ransomware, according to the Sophos State of Ransomware in Retail 2025 report. The fifth annual study found that median ransom demands doubled over the past year to $2 million, while average payments rose slightly to $1 million, suggesting that many organizations are resisting inflated demands.
Based on responses from 361 IT and cybersecurity leaders across 16 countries, the study found that 58 percent of retail victims with encrypted data paid to recover it—the second-highest rate recorded in five years. Yet the amount actually paid represented only about half of what attackers demanded, showing signs of improved negotiation and recovery capabilities.
Chester Wisniewski, director and global field chief information security officer at Sophos, said retail organizations face “a more complex threat landscape where adversaries are constantly on the lookout for and exploiting existing vulnerabilities.” He added that as ransom demands reach record levels, the need for “comprehensive security strategies is even more apparent,” emphasizing proactive measures to detect and neutralize threats before they escalate.
Security gaps, skills shortage persist
Nearly half of retail ransomware incidents—46 percent—were traced to security gaps organizations were unaware of. Another 45 percent resulted from limited in-house expertise, while 44 percent stemmed from insufficient protection coverage. Exploited vulnerabilities remained the most common technical root cause, appearing in 30 percent of attacks for the third consecutive year.
Despite these weaknesses, retailers are improving their ability to contain attacks. The rate of incidents resulting in data encryption fell to 48 percent—its lowest point in five years—down from a peak of 71 percent in 2023. Sophos attributed this to greater adoption of managed detection and response (MDR) services and more mature patch management.
However, the report also noted a worrying trend: extortion-only attacks, in which criminals threaten to leak stolen data without encrypting files, tripled to 6 percent in 2025 from just 2 percent in 2023.
Financial impact, recovery times improve
The overall cost of recovery, excluding ransom payments, dropped by 40 percent over the past year to $1.65 million, the lowest level in three years. More than half of retailers (51 percent) reported recovering within a week, compared with 46 percent a year earlier. Ninety-six percent said they fully recovered within three months.
Still, backup reliability declined. Only 62 percent of retailers restored their data using backups—the lowest rate in four years—suggesting that while recovery strategies are improving, backup resilience remains a challenge.
The study also found that 29 percent of retailers who paid ransoms matched the initial demand, while 59 percent negotiated for less and 11 percent paid more. Companies that overpaid cited failed backups and increased attacker demands during negotiations as key reasons.
Human toll on retail IT teams
The human cost of ransomware remained high. Nearly half (47 percent) of retail IT and cybersecurity teams reported increased pressure from senior management after suffering a ransomware incident. Forty-three percent said the attacks led to anxiety and heavier workloads, while one in four cases resulted in leadership replacement.
Sophos warned that burnout and staff turnover further weaken cyber resilience, particularly in sectors such as retail, where operational uptime and customer trust are critical.
ASEAN retailers face shared vulnerabilities
While the Sophos report provides global insights, its implications resonate strongly across Southeast Asia. The region’s rapid digitalization—especially in online retail—has expanded attack surfaces faster than many organizations can secure them.
In the Philippines, for example, small and mid-sized retailers continue to rely heavily on third-party systems for payments, logistics, and cloud management. This interconnectedness increases exposure to supply-chain attacks similar to those highlighted in the Sophos report. The Department of Information and Communications Technology (DICT) has been urging businesses to strengthen cyber hygiene and adopt continuous monitoring solutions, including MDR and managed risk services.
In Malaysia, Thailand, and Indonesia, local ransomware incidents mirror the global pattern of human error, outdated systems, and skill shortages as key enablers. Analysts say that regional collaboration—particularly under ASEAN’s Digital Economy Framework Agreement—will be essential to establishing common security standards across the retail ecosystem.
Toward proactive defense
Sophos urged organizations to focus on prevention, protection, detection, and preparedness. This includes eliminating technical and operational vulnerabilities, strengthening endpoint protection, maintaining tested backups, and ensuring 24/7 threat monitoring through managed detection and response providers.
“Successful security programs are focused on risk management,” Wisniewski said. “Retailers must have visibility into the threats they face as well as their assets and their security posture.”
For ASEAN retailers navigating economic volatility and digital transformation, the message is clear: investing in visibility, skills, and resilience is no longer optional—it’s survival.
————————————————————————-
WATCH TECHSABADO ON OUR YOUTUBE CHANNEL:
WATCH OUR OTHER YOUTUBE CHANNELS:
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
