Some 77% of global retailers were compromised by ransomware last year, making the sector one of the hardest hit, according to Sophos.
The security vendor polled 422 retail respondents in mid-sized organizations (100-5000 employees) across 31 countries to compile its report, The State of Ransomware in Retail 2022.
The headline figure represents a massive 75% increase on 2020 and is 11% higher than the average across all sectors, making retail the second-hardest hit industry globally.
Perhaps unsurprisingly, most (92%) respondents said an attack affected their ability to operate and 89% said it caused their organization to lose business and/or revenue.
However, while the average ransom payment within retail increased 53% year-on-year to reach $226,044 in 2021, this was less than a third of the cross-sector average ($812,000).
This may be linked to the sophistication of attacks impacting retailers.
“It’s likely that different threat groups are hitting different industries. Some of the low-skill ransomware groups ask for $50,000 to $200,000 in ransom payments, whereas the larger, more sophisticated attackers with increased visibility demand $1m or more,” said Chester Wisniewski, Sophos principal research scientist.
“With initial access brokers (IABs) and ransomware-as-a-service (RaaS), it’s unfortunately easy for bottom-rung cyber-criminals to buy network access and a ransomware kit to launch an attack without much effort. Individual retail stores and small chains are more likely to be targeted by these smaller opportunistic attackers.”
The report also revealed deficiencies in cyber-resilience: only 28% of respondents said they were able to prevent their data being encrypted during a ransomware attack.
That’s bad news considering that the amount of data recovered after paying a ransom decreased from 67% in 2020 to 62% last year, and the percentage of retailers that got all their data back dropped from 9% to 5%.
As well as best practice cyber-hygiene and IT hardening efforts, Sophos recommends smaller retailers outsource threat detection and response to Managed Detection and Response (MDR) providers.
Regular backups and well-rehearsed incident response plans are also important, it added.