Around 44% of retail organisations were hit by a ransomware attack in 2020, and more than half of those affected (54%) said cyber criminals had succeeded in encrypting their data, according to Sophos’s State of ransomware in retail 2021 report.
Of those retailers whose data was encrypted, 32% paid the ransom to get their data back, and the average ransom payment was $147,811. A further 56% used backups to restore their data.
However, the Sophos research – which was based on a survey of 435 IT decision-makers in retail – also found that those who paid the ransom got back just 67% of their data on average, leaving almost a third of it completely inaccessible. Just 9% of ransom-paying organisations got all of their encrypted data back.
The average bill for rectifying a ransomware attack in the sector – when considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, and more – was $1.97m.
Sophos also found that retail organisations were particularly vulnerable to a small but growing new trend of extortion-only attacks, whereby ransomware operators do not encrypt files, but instead threaten to leak exfiltrated information online if their ransom demand is not paid. This type of attack was experienced by 12% of retail ransomware victims.
“The comparatively high percentage of retail organisations hit with data theft-based extortion attacks is not entirely surprising. Service industries such as retail hold information that is often subject to strict data protection laws, and attackers are only too willing to exploit a victim’s fear of fallout from a data breach in terms of fines and damage to brand reputation, sales and customer trust,” said Chester Wisniewski, principal research scientist at Sophos.
The report added that cyber criminals were quick to exploit opportunities presented by the pandemic, which in retail was primarily the rapid growth of e-commerce and online shopping.
“Some retail organisations started trading online for the first time, while others saw a huge increase in their web traffic and the percentage of transactions that happened online,” said Sophos.
“Enabling and managing this change introduced new challenges for IT teams while also consuming significant capacity: nearly three-quarters (72%) of respondents said their cyber security workload increased over 2020. The good news is that, in light of this increase in workload, 77% of IT teams in retail said their ability to develop cyber security knowledge and skills increased over the course of 2020, the highest among all industries.”
Of the roughly 56% of surveyed retail organisations that were not hit by a ransomware attack in 2020, two-thirds (66%) expect to be hit in the future, with the most common reason being that the sophistication of ransomware attacks make them increasingly difficult to stop.
In light of its findings, Sophos made a number of recommendations for how retail organisations could better protect themselves from ransomware attacks and their fallout.
Steps include making backups, because “even if you pay the ransom, you rarely get all your data back”; deploying layered protection “to block attackers at as many points as possible across your environment”; and not paying the ransom.
Sophos also suggested combining human experts and anti-ransomware technology, as “technology gives you the scale and automation you need, while human experts are best able to detect the tell-tale tactics, techniques and procedures that indicate when a skilled attacker is attempting to get into your environment.”