Cybercrime is one of the biggest risks for companies in all industries. Nevertheless, attack rates and the resulting damage to companies vary depending on the industry sector. In its global study, State of Ransomware, cybersecurity company Sophos clarified how the cyber threat of ransomware in retail has evolved.
🔎 Retail ransomware attack rate (Image: Sophos).
The rate of ransomware attacks in retail has dropped from 77% in 2022 to 69% in 2023. This is an encouraging drop. However, the fact that over two-thirds of retail businesses were still affected by ransomware in the last year, and despite this decline, the rate remains above average by global standards, makes this malware the largest cyber risk facing retail businesses today. According to the Sophos study State of Ransomware in Retail 2023.
Security gaps as the main gateway
Exploited vulnerabilities (41%) were the root cause of most retail ransomware attacks, followed by compromised credentials (22%). Phishing was the third most common cause with 17% of incidents. Overall, nearly a third of retailers surveyed (32%) said email (malicious email or phishing) was the root cause of the attack. Globally, retail has been among the industries most commonly targeted by ransomware attacks via vulnerability exploits and phishing. Conversely, the use of compromised credentials as a starting point for ransomware attacks in retail was the least recorded of all industries (along with IT, telecom and technology).
Retail pays 10 times more ransom
🔎 Retailers pay very high ransoms (Image: Sophos).
On a global, cross-industry level, while the overall willingness to pay ransoms is at the level of last year's study, the size of the payments themselves have compared with an increase from $812.360 to $1.542.330 (€1.389.639,33). almost doubled compared to the previous year. In line with the global trend, the average retail ransom payment has also been $2.458.481 (€2.215.226,60). increased significantly compared to the previous year: it was more than 10 times higher than in the 2022 report ($226.044 or €204.095,13).
Retail not only pays more ransoms than last year, but also more than many other industries: Average retail ransom payments were nearly 60% higher than the global average across industries ($1.542.330 or €1.389.639,33) in this year's study.
🔎 Two-thirds of retailers pay ransoms of $1 million or more (Image: Sophos).
The proportion of retailers paying higher ransoms has also increased compared to the 2022 study. More than two-thirds of retail businesses (68%) reported payments of $1 million or more, up from around 5% a year ago. Conversely, 6% paid less than $100.000, up from 70% in last year's report.
Insured companies with high willingness to pay ransom
Unlike other sectors, insurance coverage had little impact on the retail recovery rate. However, he had a significant influence on the willingness to pay the ransom. In short, retail businesses with standalone cyber insurance were more willing to pay ransoms to recover data than those with cyber insurance as part of a broader store policy or businesses that had no insurance at all.
Retail data encryption rate up for third consecutive year
🔎 More and more data is being encrypted during attacks (Image: Sophos).
Data encryption in retail has continued to increase, with the 2023 report showing the highest level of encryption in three years. This reflects the increasingly professional skills of the attackers, who are constantly innovating and refining their methods. Almost three-quarters of retail ransomware attacks (71%) resulted in data encryption, up from 68% and 54% in the previous two years. The increasing encryption rate goes hand in hand with a declining ability of companies to activate defense mechanisms in good time in the event of attacks. Only one in four attacks (26%) is stopped before the data can be encrypted. A rather worrying trend.
Nevertheless, retail is doing better than many other sectors worldwide. Across all sectors, 76% of attacks resulted in data encryption and only 21% were stopped before the data was encrypted. The highest frequency of data encryption (92%) was reported by service companies.
Data: Not only encrypted - also stolen
In 21% of retail attacks where data was encrypted, data was also stolen. This "double-dip" approach by attackers is on the rise as it further increases the possibility of monetizing attacks. The threat of making stolen data public can be used to extort payments. In addition, the sale is also worthwhile for the cybercriminals, the data are highly coveted commodities on the Darknet. With the increasing frequency of data theft, it is becoming increasingly important to stop attacks in good time before information can be exfiltrated.
Retail data recovery rate high
97% of retail companies were able to recover their data after an encryption attack. 43% of retail businesses said they paid a ransom for it, and more than two-thirds (68%) relied on backups for data recovery, slightly below the global averages of 46% and 70%, respectively. 16% of respondents said they use multiple means to recover encrypted data.
Use of backups but also number of ransom payments declining
🔎 Fast data recovery usually takes longer (Image: Sophos).
Retail backup usage fell to 2023% in the 68 survey from 73% in the 2022 survey. This drop in backup usage is in line with the global - rather worrying - trend showing a 73% decline in 2022 to 70% in 2023. As for ransom payments, retail ransom payments dropped from 49% in the 2022 report to the current 43% in this report. Globally, however, ransom payments have remained the same across all sectors.
Retail recovery costs slightly higher than industry average
Ransomware payments are just one element of recovery costs associated with ransomware. Excluding the ransom paid, businesses worldwide reported an increase from the 2022 report. Retail recovery costs have also increased to $1.270.000 (€1.145.406,65) from $1.850.000 (€1.668.505,75) last year. 1.970.000) - but still lower than the $1.776.802,10 reported in the 2021 report. This year's increase may reflect the sector's challenges to timely stop data encryption during attacks . Also, the reduced use of backups to restore encrypted data may have resulted in increased recovery costs.
Data recovery takes longer
While the time to recover from ransomware attacks in retail stores is broadly in line with the 2022 report findings, the percentage recovering in less than a day has fallen from 15% to 9% year-on-year
The percentage of companies that took more than a month to recover rose to around 21% from around 17% a year ago, suggesting the sector is now taking longer to recover.
Impact on business
82% of retail businesses hit by ransomware said the attacks also resulted in lost business. This corresponds to the global industry average of 84%.
For the retail sector, as for all other industries, the crucial question is how cybercriminals get into the company and which attack tactics pose the greatest risks for this industry. Sophos advises companies to take a number of steps to further strengthen their defenses:
- Security tools that protect against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities
- Zero Trust Network Access (ZTNA) to thwart abuse of compromised credentials
- Adaptive technologies that automatically respond to attacks that disrupt attackers and give defenders time to respond
- 24/7 threat detection, investigation and response, either in-house or in collaboration with a specialized Managed Detection and Response (MDR) service provider
- Optimizing attack preparation, including regular backups
- Practice restoring data from backups and maintaining an up-to-date incident response plan
- Maintaining good security hygiene, including timely patching and regularly reviewing security tool configurations
About the State of Ransomware in Retail 2023 study
From January to March, an independent market research institute, commissioned by Sophos, surveyed 3.000 managers in IT or cybersecurity in companies with 100 to 5.000 employees and at least 10 million sales in 14 countries. Among them were 351 retail establishments that provided information on their specific perspective on the cybersecurity situation.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.