Ransomware attacks on retail increase, average retail payment grows to more than $200K

More than 300 organizations in the retail industry said they were hit with ransomware attacks in 2021, according to a survey conducted by security company Sophos. 

Sophos researchers spoke to 422 IT workers at mid-sized organizations in the retail sector across 31 countries, finding startling increases in the number of respondents who said their organizations suffered ransomware attacks. 

Sophos said the 77% of respondents who were hit with ransomware in 2021 represented a 75% increase compared to 2020. The average ransomware payment grew from $147,811 in 2020 to $226,044 in 2021. 

The findings are part of a larger State of Ransomware in Retail 2022 report the company released, and researchers noted that retail had the highest rate of attacks of all industries surveyed.

Chester Wisniewski, principal research scientist at Sophos, said what surprised him most was that while 77% of organizations reported a ransomware attack, somehow barely half thought the volume and complexity had increased. 

“This is very concerning as it suggests that despite their failures in defending themselves, they may not be taking the threat seriously enough. Security should be viewed similar to an insurance policy — money well spent preventing much costlier outcomes. With more than three in four organizations falling victim, it seems attacks are nearly inevitable,” he said.

But one good aspect discovered by researchers was that the total cost of ransomware remediation dropped 46% to $1.27 million from $1.97 million in 2020. 

Wisniewski attributed this to insurance companies that know how to immediately intervene and lower the impacts to the business as well as professional services groups that have experience remediating ransomware every day and “know how to do it safely and efficiently.”

“Additionally, ransomware payments in the retail industry were considerably below the global average of all sectors, with 41% of retail organizations reporting paying less than $10,000 in ransoms compared to only 21% globally across all sectors,” he explained. “In 2020, only 28% of retail organizations reported paying ransoms below that threshold. Further, only 4% of retail organizations reported paying ransoms of more than $1 million, compared to the global all-sector average of 11%.”

The Sophos report notes that retail organizations that faced ransomware attacks experienced an above-average rate of data encryption compared to other industries and nearly all said the incidents impacted their ability to function.

Ransomware groups have continued to attack retail organizations over the last three years. 

One of the largest supermarket chains serving multiple countries across southern Africa was hit with ransomware in June. Last July, one of Sweden’s largest supermarket store chains, Coop, was forced to shut down nearly 800 stores across the country after one of its contractors was hit by ransomware in the aftermath of the wide-ranging Kaseya security incident.

Two weeks ago, a retail technology provider for many of the world’s largest airlines said it recently dealt with a ransomware attack impacting some of its systems.

The Australian Cyber Security Centre released a warning last year about LockBit ransomware gang affiliates targeting companies “corporate systems in a variety of sectors including professional services, construction, manufacturing, retail and food.”