IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Sophos: Retail organisations pay significantly less in ransomware attacks

It's a game of volume in retail since despite being the second-most targeted industry, the average payment per case is well below the industry average

Retail companies that are impacted by ransomware pay less than a third of the amount of the industry average when meeting ransom demands, new research has revealed.

The average payment made to a ransomware organisation in the retail sector throughout 2021 was $226,000 (£197,000), significantly less than the industry average of $812,000 (£708,000) per incident.

Nearly one in four (22%) paid less than $1,000 (£871) for each incident, Sophos said, and the vast majority (70%) paid less than $100,000 (£87,000) whereas just 47% of the global average got away with paying less than six-figure sums.

The overall cost to remediate an attack was down on 2020’s numbers in retail too at $1.27 million (£1.1 million), a reduction from $1.97 million (£1.7 million) the year before.

Total costs of ransomware incidents can cover a wide variety of things including paying the ransom fee itself, the cost of recovering systems, a potential rise in cyber insurance premiums, and the cost of improving systems to prevent further attacks, among other areas.

Retail was largely spared from paying the highest prices for their ransomware attacks, but incidents still increased over the year, according to the researchers, with as many as 77% of all retail organisations being impacted in some way.

This figure represents a sizeable increase on the previous year’s of 44% and shows how retail is being targeted more frequently compared to the wider industry where 66% of companies were impacted on average.

Sophos said retail was the second-most targeted industry and was also reported slightly above average rates of data being encrypted in attacks - 68% vs the industry average of 65%.

Only 28% of retail organisations were able to stop their data from being encrypted after noticing an attack had begun - a figure that contributed to the reports that almost all companies (92%) said attacks impacted their ability to operate.

Retail firms are getting better at using backups to restore their data after it becomes encrypted - the industry’s long-recommended method of ransomware remediation.

73% of retail companies used backups following an attack, a figure that’s up considerably over the previous year’s 56%, but companies still report not benign able to get all of the data back. 

Only 62% of all encrypted data was recovered, on average, in retail which is in line with the industry average of 61% - a drop from 67% in 2020.

The number of businesses that were able to recover the entirety of their data was also down on the previous year’s figures - 5% and 9% respectively.

Related Resource

Escape the ransomware maze

Conventional endpoint protection tools just aren’t the best defence anymore

Whitepaper cover with overhead image of a man sat at a deska with a computer in the centre of a maze in the shadowsFree Download

“The key takeaway here is that paying the ransom will only restore a part of your encrypted data and you cannot count on the ransom payment to get you all your data back,” Sophos said.

The received wisdom in the industry has always been to never pay the ransom. In doing so, victims directly fund cyber crime and validate the business model itself.

However, many organisations are known to flout this advice in the hope of more quickly regaining access to data and their operations. Sophos’ research showed that 49% of all retail companies paid their attackers' ransom demands in 2021.

The dynamic between criminal and victim in a ransomware case is a mutually beneficial one, from the criminal’s perspective: the criminal encourages payment and repays the trust of the victim for paying the ransom in returning the encrypted files through a decryption key.

Sophos’ data would suggest that the dynamic is being exploited by the criminals and if victims continue to lose access to a sizeable portion of their files, it may discourage payment.

In cases where the victim restores from backups, the effectiveness of the recovery is only as effective as the backup strategy itself. If the backup is weeks old then the business will struggle to fully recover.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download


Cyber security in the retail sector
cyber security

Cyber security in the retail sector

28 Sep 2022
Cyber security in manufacturing

Cyber security in manufacturing

28 Sep 2022
Sophos XGS 116 review: A small and mighty appliance
unified threat management (UTM)

Sophos XGS 116 review: A small and mighty appliance

14 Sep 2022
Ransomware now strikes one in 40 organisations per week, Check Point finds

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Why Japan finds it so hard to digitally transform
digital transformation

Why Japan finds it so hard to digitally transform

1 Dec 2022