Retailers Are Fighting Back Against Ransomware
▼ Summary
– Ransomware attacks on retailers are shifting with fewer incidents leading to data encryption and lower recovery costs, but ransom demands have doubled and security teams are under strain.
– Exploited vulnerabilities are the top technical entry point for attackers, while organizational weaknesses like unknown security gaps and limited expertise also contribute significantly.
– The median ransom demand doubled to two million dollars, but median payments rose only slightly to one million as companies increasingly resist or negotiate these demands.
– Recovery costs excluding ransom payments dropped by 40% to about 1.6 million dollars, and recovery times improved with half of retailers returning to normal within a week.
– Ransomware attacks have significant human impacts including increased stress, heavier workloads, leadership changes, and staff absences due to mental health issues.
The retail sector is experiencing a notable shift in the battle against ransomware, with recent data revealing both encouraging trends and persistent threats. While the frequency of data encryption has dropped to its lowest point in five years, cybercriminals are escalating their ransom demands and increasingly turning to extortion-only tactics. Recovery costs and timeframes have improved, yet the human and financial toll on organizations remains substantial.
According to the latest global survey of retail IT and cybersecurity leaders, exploited vulnerabilities continue to be the most common method attackers use to breach systems, accounting for roughly one-third of all incidents. Compromised credentials and phishing attempts follow closely behind. Beyond technical weaknesses, nearly half of respondents identified unknown security gaps within their organizations, while a similar number cited limited in-house expertise and insufficient protective tools as contributing factors. This points to a complex challenge that blends technology shortcomings with human resource limitations.
A significant development is the decline in successful data encryption during attacks, now occurring in only 48% of ransomware incidents. This improvement signals that detection and defensive measures are becoming more effective. However, attackers are adapting by shifting toward extortion-only campaigns, where they threaten to release stolen data without encrypting systems. Among those whose data was encrypted, 29% also reported that information was exfiltrated. This dual-threat approach means retailers cannot afford to lower their guard simply because encryption rates are falling.
Ransom demands have doubled year over year, reaching a median of two million dollars. Despite this sharp increase, the actual median payment saw only a modest rise to one million dollars. On average, affected companies paid about 81% of the initial demand, down from 85% the previous year. The vast majority of organizations managed to recover their data, primarily through backups, though reliance on backups has seen a slight decrease. Retailers remain among the top industries utilizing backup systems for restoration.
Encouragingly, the cost to recover from an attack, excluding any ransom paid, has fallen by approximately 40% to around 1.6 million dollars, the lowest figure recorded in three years. Recovery times have also shortened, with about half of retail organizations returning to normal operations within a week. These gains suggest that investments in incident response and business continuity planning are yielding positive results. Still, even when a ransom is not paid, expenses related to downtime, labor, and system repairs continue to represent a major financial burden.
The impact on personnel cannot be overlooked. Every retailer that experienced data encryption reported negative effects on their IT or security teams. Close to half noted increased pressure from senior leadership, and many teams faced higher stress levels, heavier workloads, and internal restructuring. About one quarter saw leadership changes following an attack, and a similar proportion reported staff absences due to stress or mental health issues. These findings underscore that ransomware inflicts lasting human consequences, reshaping teams and workplace dynamics long after technical systems have been restored.
(Source: HelpNet Security)
