Sophos: Retail organisations pay significantly less in ransomware attacks

Retail companies that are impacted by ransomware pay less than a third of the amount of the industry average when meeting ransom demands, new research has revealed.

The average payment made to a ransomware organisation in the retail sector throughout 2021 was $226,000 (£197,000), significantly less than the industry average of $812,000 (£708,000) per incident.

Nearly one in four (22%) paid less than $1,000 (£871) for each incident, Sophos said, and the vast majority (70%) paid less than $100,000 (£87,000) whereas just 47% of the global average got away with paying less than six-figure sums.

The overall cost to remediate an attack was down on 2020’s numbers in retail too at $1.27 million (£1.1 million), a reduction from $1.97 million (£1.7 million) the year before.

Total costs of ransomware incidents can cover a wide variety of things including paying the ransom fee itself, the cost of recovering systems, a potential rise in cyber insurance premiums, and the cost of improving systems to prevent further attacks, among other areas.

Retail was largely spared from paying the highest prices for their ransomware attacks, but incidents still increased over the year, according to the researchers, with as many as 77% of all retail organisations being impacted in some way.

This figure represents a sizeable increase on the previous year’s of 44% and shows how retail is being targeted more frequently compared to the wider industry where 66% of companies were impacted on average.

Sophos said retail was the second-most targeted industry and was also reported slightly above average rates of data being encrypted in attacks - 68% vs the industry average of 65%.

Only 28% of retail organisations were able to stop their data from being encrypted after noticing an attack had begun - a figure that contributed to the reports that almost all companies (92%) said attacks impacted their ability to operate.

Retail firms are getting better at using backups to restore their data after it becomes encrypted - the industry’s long-recommended method of ransomware remediation.

73% of retail companies used backups following an attack, a figure that’s up considerably over the previous year’s 56%, but companies still report not benign able to get all of the data back.

Only 62% of all encrypted data was recovered, on average, in retail which is in line with the industry average of 61% - a drop from 67% in 2020.

The number of businesses that were able to recover the entirety of their data was also down on the previous year’s figures - 5% and 9% respectively.

“The key takeaway here is that paying the ransom will only restore a part of your encrypted data and you cannot count on the ransom payment to get you all your data back,” Sophos said.

The received wisdom in the industry has always been to never pay the ransom. In doing so, victims directly fund cyber crime and validate the business model itself.

However, many organisations are known to flout this advice in the hope of more quickly regaining access to data and their operations. Sophos’ research showed that 49% of all retail companies paid their attackers' ransom demands in 2021.

The dynamic between criminal and victim in a ransomware case is a mutually beneficial one, from the criminal’s perspective: the criminal encourages payment and repays the trust of the victim for paying the ransom in returning the encrypted files through a decryption key.

Sophos’ data would suggest that the dynamic is being exploited by the criminals and if victims continue to lose access to a sizeable portion of their files, it may discourage payment.

In cases where the victim restores from backups, the effectiveness of the recovery is only as effective as the backup strategy itself. If the backup is weeks old then the business will struggle to fully recover.