The retail sector became a top target for ransomware and data-theft extortion attacks during the pandemic, as revealed in Sophos’ State of Ransomware in Retail 2021 report. Based on an independent survey of 435 IT decision makers, it explores the extent and impact of ransomware attacks on mid-sized retail organization worldwide during 2020.
Retail is at the ransomware frontline
The results show that retail, together with education, was the sector most hit by ransomware in 2020 with 44% of organizations hit (compared to 37% across all industry sectors). Over half (54%) of the retail organizations hit by ransomware said the attackers had succeeded in encrypting their data.
Cybercriminals were quick to exploit opportunities presented by the pandemic, which in the retail sector was primarily the rapid growth in online transactions. While IT teams were busy enabling and managing this change (nearly three quarters (72%) of respondents said their cybersecurity workload increased over 2020), adversaries targeted them with ransomware attacks.
A target for extortion-only attacks
The survey also found that retail organizations were particularly vulnerable to a small but growing new trend: extortion-only attacks, where the ransomware operators don’t encrypt files but threaten to leak stolen information online if a ransom demand isn’t paid. More than one in ten (12%) retail ransomware victims experienced this, nearly double the cross-sector average, and only central government (13%) was more affected.
“The comparatively high percentage of retail organizations hit with data-theft based extortion attacks is not entirely surprising. Service industries such as retail hold information that is often subject to strict data protection laws, and attackers are only too willing to exploit a victim’s fear of fallout from a data breach in terms of fines and damage to brand reputation, sales and customer trust.”
Chester Wisniewski, principal research scientist at Sophos
A third of retail organizations pay the ransom
32% of retail organizations whose data was encrypted paid the ransom to get their data back. The average ransom payment was US$147,811 – lower than the global average of US$170,404.
While these are large sums, paying the ransom is just a small part of the overall costs of dealing with a ransomware attack. The total bill for rectifying a ransomware attack in the retail sector (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, and more) came in at US$1.97 million on average – above the cross-sector average of US$1.85 million.
Paying up doesn’t pay off
Many people assume, understandably, that once you pay the ransom you get all your data back. The survey has revealed that this is not the case. Within the retail sector, those who paid got back on average only two-thirds (67%) of their data, leaving a third inaccessible; and just 9% got all their encrypted data back. This emphasises the vital importance of having backups from which you can restore in the event of an attack.
The silver lining
Fortunately, it’s not all bad news: the retail sector the most likely to report that their IT teams were able to enhance their cybersecurity skills and knowledge over the course of 2020. While adapting to the pandemic and the increase in online trading created considerable workload, it also provided new learning opportunities that they can take with them into the year ahead.
Read the full report
To learn more about the impact of ransomware on the retail sector around the globe, read the full State of Ransomware in Retail 2021 report.