THE retail sector–including physical stores, e-commerce mixes, and online shopping verticals–had the second highest rate of ransomware attacks in 2021 of all sectors surveyed after the media, leisure, and entertainment industry.
Sophos recently published a new sectoral survey report, The State of Ransomware in Retail 2022, which found that two in three retail organizations reporting data encryption following a ransomware attack. Globally, 77 percent of retail organizations surveyed were hit–a 75 percent increase from 2020. This is also 11 percent more than the cross-sector average attack rate of 66 percent.
“Retailers continue to suffer one of the highest rates of ransomware attacks of any industry. With more than three in four suffering an attack in 2021, it certainly brings a ransomware incident into the category of when, not if,” said Chester Wisniewski, principal research scientist, Sophos.
As the percentage of retail organizations attacked by ransomware increased, so did the average ransom payment. In 2021, the average ransom payment was $226,044, a 53 percent increase when compared to 2020 ($147,811). However, this was less than one-third of the cross-sector average ($812K).
According to Wisniewski organizations that are successfully defending against these attacks are not just using layered defenses, but are augmenting security with humans trained to monitor for breaches and actively hunting down threats that bypass the perimeter before they can detonate into even bigger problems.
The report also revealed that only 28 percent of retail organizations targeted were able to stop their data from being encrypted, suggesting that a large portion of the industry needs to improve their security posture with the right tools and appropriately trained security experts to help manage their efforts.
“It’s likely that different threat groups are hitting different industries. Some of the low-skill ransomware groups ask for $50,000 to $200,000 in ransom payments, whereas the larger, more sophisticated attackers with increased visibility demand $1 million or more,” Wisniewski said pointing out how cybercriminals utilizing Initial Access Brokers (IABs) and Ransomware-as-a-Services (RaaS) make it easy even for inexperienced, bottom-rung cybercriminals to buy network access and a ransomware kit to launch an attack without much effort. Individual retail stores and small chains are more likely to be targeted by these smaller opportunistic attackers.
In 2021, the overall cost to retail organizations to remediate a ransomware attack was $1.27M, down from $1.97M in 2020. But when compared to 2020, the amount of data recovered after paying the ransom decreased (from 67 percent to 62 percent), as did the percentage of retail organizations that got all their data back (from 9 percent to 5 percent).
Sophos experts recommend the following some best practices for all organizations across all sectors. First is to install and maintain high-quality defenses across all points in the environment and review security controls regularly and make sure they continue to meet the organization’s needs. By assigning the IT team to proactively hunt for threats to identify and stop adversaries before they can execute attacks. A suitable and even faster solution is to outsource to a Managed Detection and Response (MDR) team. Third is to harden the IT environment by searching for and closing key security gaps: unpatched devices, unprotected machines and open RDP ports, for example using Extended Detection and Response (XDR) solutions.
However, more than these best practices, creating a strong security posture, preparing for the worst, and having an updated plan in place of a worst-case incident scenario is needed. Sophos suggests to make backups, and practice restoring them to ensure minimal disruption and recovery time.
