77% of retail organisations hit by ransomware, says study

The retail industry is an attractive target for cyber attackers considering the large volume of personal and financial data retailers store and a new study now suggests that globally, a whopping 77% of retail organisations surveyed were hit — a 75% increase from 2020. This is also 11% more than the global average of 66%, it said. 

According to cybersecurity firm Sophos’ State of Ransomware in Retail 2022, 92% of retail organisations hit by ransomware said that the attack impacted their ability to operate and 89% said the attack caused their organisation to lose business or revenue. In 2021, the overall cost to retail organisations to remediate a ransomware attack was $1.27 million, down from $1.97 million in 2020, it said. 

When compared to 2020, the amount of data recovered after paying the ransom decreased (from 67% to 62%), as did the percentage of retail organisations that got all their data back (from 9% to 5%) 

“Retailers continue to suffer one of the highest rates of ransomware attacks of any industry. With more than three in four suffering an attack in 2021, it certainly brings a ransomware incident into the category of when, not if. In Sophos’ experience, the organisations that are successfully defending against these attacks are not just using layered defenses, they are augmenting security with humans trained to monitor for breaches and actively hunting down threats that bypass the perimeter before they can detonate into even bigger problems. 

"This year’s survey shows that only 28% of retail organisations targeted were able to stop their data from being encrypted, suggesting that a large portion of the industry needs to improve their security posture with the right tools and appropriately trained security experts to help manage their efforts," said Chester Wisniewski, principal research scientist, Sophos.  

As the percentage of retail organisations attacked by ransomware increased, so did the average ransom payment. In 2021, the average ransom payment was $226,044, a 53% increase when compared to 2020 ($147,811). However, this was less than one-third the cross-sector average ($812,000). 

 “It’s likely that different threat groups are hitting different industries. Some of the low-skill ransomware groups ask for $50,000 to $200,000 in ransom payments, whereas the larger, more sophisticated attackers with increased visibility demand $1 million or more,” said Wisniewski.  

"After the emergence of Ransomware-as-a-Service (RaaS) it’s unfortunately easy for bottom-rung cybercriminals to buy network access and a ransomware kit to launch an attack without much effort. Individual retail stores and small chains are more likely to be targeted by these smaller opportunistic attackers.” 

Ransomware actors have a penchant for targeting organisations that need 100% uptime for their operations, noted a ZDNet article, and such is the case with retailers. “Organisations in the retail sector need to serve customers consistently, and they can’t do this without extended supply chains, third-party dependencies, and always-on production systems.  

Such complexity leaves Retailers and their suppliers a prime target for a ransomware attack, especially during the crucial holiday season when sales peak. Also, retailers are increasingly integrating Internet of Things (IoT) devices like security cameras, point-of-sale (PoS) systems, and production logistics controls into their environments. Many of these devices lack security by design, an oversight that leaves organisations even more susceptible to a ransomware attack. 

These studies emphasise that businesses are realising the prevalence of ransomware attacks and responding appropriately. As part pf the response develop a robust cybersecurity posture is critical in today's world. Indian retailers should focus on building strong defences, providing security skills training for users to better prepare against ransomware and employ appropriate technology to defend against an recover from ransomware with layered protection.