Ransomware attacks on retailers rose 75% in 2021

Retailers are fast becoming the favorite targets for ransomware criminals, with two out of three companies in the sector being attacked last year, according to a new report from cybersecurity firm Sophos. Attackers were able to successfully encrypt files in more than half of the attacks.

Of 422 retail IT professionals surveyed internationally, 77% said their organizations were hit by ransomware attacks in 2021. This is a 75% rise from 2020, the Sophos report noted.

“Retailers continue to suffer one of the highest rates of ransomware attacks of any industry. With more than three in four suffering an attack in 2021, it certainly brings a ransomware incident into the category of when, not if,” said Chester Wisniewski, principal research scientist at Sophos, in a statement accompanying the report.  

Sophos defines “hit by ransomware” as one or more devices being impacted, but not necessarily encrypted. Ransomware criminals were able to encrypt files of target retailers in 68% of the cases. Only 28% of retail respondents said they were able to stop attacks before data could be encrypted. 

“In Sophos’ experience, the organizations that are successfully defending against these attacks are not just using layered defenses, they are augmenting security with humans trained to monitor for breaches and actively hunting down threats that bypass the perimeter before they can detonate into even bigger problems,” Wisniewski said.

A large portion of the industry needs to improve its security posture with the right tools and appropriately trained security experts to help manage their efforts, he said.  

“With Initial Access Brokers (IABs) and Ransomware-as-a-Service (RaaS), it’s unfortunately easy for bottom-rung cybercriminals to buy network access and a ransomware kit to launch an attack without much effort. Individual retail stores and small chains are more likely to be targeted by these smaller opportunistic attackers,” Wisniewski said.

Of respondents reporting that their organizations were hit by ransomware, 92% said the attack impacted their ability to operate, while 89% said the attack caused their organization to lose business/revenue. This indicates that the operational and commercial impact of ransomware on the retail sector was a little higher than the other sectors, the report noted. 

Retailers lose data even after paying ransom

Only 62% retailers who paid ransom to recover their data in 2021 were able to recover some of their data, making it worse than 2020, when 67% of such organizations were able to recover some of their data.

Getting back all encrypted data became even less common in 2021, with only 5% of retailers able to restore all their data, down from 9% in 2020.

“The key takeaway here is that paying the ransom will only restore a part of your encrypted data and you cannot count on the ransom payment to get you all your data back,” according to the report.

The retail sector used multiple methods to recover their encrypted data, including backups and paying ransom. Almost all retail organizations that were hit by ransomware and had data encrypted in the last year recovered some encrypted data back.

About 73% of retail organizations used backups to recover data, a considerable increase from just 56% organizations in 2020. 

The Sophos report revealed 49% of respondents paid ransom to get the data back, compared to 32% in 2020. Almost a third, or 32%, reported using other means to restore their data.

“The percentage using backups, paying the ransom, and using other means clearly add up to more than 100%, indicating that many retail organizations use multiple restoration methods in parallel. Overall, 46% of retail victims used multiple methods to restore their data,” the report noted. 

Ransom amounts rise considerably

The exact amount of ransom paid was reported by 88 respondents from the retail sector. The average ransom payment was  $226,044, up from the average of $147,811 reported in 2020 by 36 retail respondents.

More than one-fifth, or 22%, of the retail organizations paid ransoms of less than $1,000, while more than two-thirds, or 70%, paid a ransom amount of less than $100,000. These low payments help keep the sector average down compared to many other industries, according to Sophos. 

Only 29% of retail respondents paid over $100,000 in ransom and about 4% paid over a million dollars, according to the report.

“It’s likely that different threat groups are hitting different industries. Some of the low-skill ransomware groups ask for $50,000 to $200,000 in ransom payments, whereas the larger, more sophisticated attackers with increased visibility demand $1 million or more,” Wisniewski said.

Ransomware insurance gets difficult to acquire

For 93% of those with cyberinsurance in retail, the process for securing coverage changed over the last year. Due to the high rate of attacks and ransom payments, retailers feel it is more difficult to acquire insurance now, with 41% saying fewer insurance providers are offering cyberinsurance.

About 57% of the respondents said the level of in-house cybersecurity required to qualify for cyberinsurance is now higher, with 43% saying policies are now more complex, 37% saying the process takes longer, and 35% saying it is more expensive. Nevertheless, 88% of retail respondents reported that they have coverage. 

As the cyberinsurance market hardens and it becomes more challenging to secure coverage, 97% of retail organizations that have cyberinsurance have made changes to their cyberdefense to improve their cyberinsurance position. Sixty-six percent of those surveyed have implemented new technologies/services, 55% have increased staff training/education activities, and 53% have changed processes/behaviors, according to the research.

Insurance firms paid out for clean-up costs in 82% of attacks on retail organizations, which is higher than the average of 77% for all sectors. However, retail respondents reported a below-average rate of ransom insurance payout, with insurers paying the ransom in 35% of attacks compared with 40% on average across all sectors.  “This suggests that the victims are often paying the ransoms out of their own funds,” the report noted.