Sophos: Retail organisations pay significantly less in ransomware attacks

Technology symbols overlaid in a clothing store
(Image credit: Shutterstock)

Retail companies that are impacted by ransomware pay less than a third of the amount of the industry average when meeting ransom demands, new research has revealed.

The average payment made to a ransomware organisation in the retail sector throughout 2021 was $226,000 (£197,000), significantly less than the industry average of $812,000 (£708,000) per incident.

Nearly one in four (22%) paid less than $1,000 (£871) for each incident, Sophos said, and the vast majority (70%) paid less than $100,000 (£87,000) whereas just 47% of the global average got away with paying less than six-figure sums.

The overall cost to remediate an attack was down on 2020’s numbers in retail too at $1.27 million (£1.1 million), a reduction from $1.97 million (£1.7 million) the year before.

Total costs of ransomware incidents can cover a wide variety of things including paying the ransom fee itself, the cost of recovering systems, a potential rise in cyber insurance premiums, and the cost of improving systems to prevent further attacks, among other areas.

Retail was largely spared from paying the highest prices for their ransomware attacks, but incidents still increased over the year, according to the researchers, with as many as 77% of all retail organisations being impacted in some way.

This figure represents a sizeable increase on the previous year’s of 44% and shows how retail is being targeted more frequently compared to the wider industry where 66% of companies were impacted on average.

Sophos said retail was the second-most targeted industry and was also reported slightly above average rates of data being encrypted in attacks - 68% vs the industry average of 65%.

Only 28% of retail organisations were able to stop their data from being encrypted after noticing an attack had begun - a figure that contributed to the reports that almost all companies (92%) said attacks impacted their ability to operate.

Retail firms are getting better at using backups to restore their data after it becomes encrypted - the industry’s long-recommended method of ransomware remediation.

73% of retail companies used backups following an attack, a figure that’s up considerably over the previous year’s 56%, but companies still report not benign able to get all of the data back.

Only 62% of all encrypted data was recovered, on average, in retail which is in line with the industry average of 61% - a drop from 67% in 2020.

The number of businesses that were able to recover the entirety of their data was also down on the previous year’s figures - 5% and 9% respectively.


Escape the ransomware maze

Conventional endpoint protection tools just aren’t the best defence anymore


“The key takeaway here is that paying the ransom will only restore a part of your encrypted data and you cannot count on the ransom payment to get you all your data back,” Sophos said.

The received wisdom in the industry has always been to never pay the ransom. In doing so, victims directly fund cyber crime and validate the business model itself.

However, many organisations are known to flout this advice in the hope of more quickly regaining access to data and their operations. Sophos’ research showed that 49% of all retail companies paid their attackers' ransom demands in 2021.

The dynamic between criminal and victim in a ransomware case is a mutually beneficial one, from the criminal’s perspective: the criminal encourages payment and repays the trust of the victim for paying the ransom in returning the encrypted files through a decryption key.

Sophos’ data would suggest that the dynamic is being exploited by the criminals and if victims continue to lose access to a sizeable portion of their files, it may discourage payment.

In cases where the victim restores from backups, the effectiveness of the recovery is only as effective as the backup strategy itself. If the backup is weeks old then the business will struggle to fully recover.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.