Retailers are fast becoming the favourite targets for ransomware criminals, with two out of three companies in the sector being attacked last year, according to a new report from cyber security firm Sophos.
Attackers were able to successfully encrypt files in more than half of the attacks.
Of 422 retail IT professionals surveyed internationally, 77 per cent said their organisations were hit by ransomware attacks in 2021. This is a 75 per cent rise from 2020, the Sophos report noted.
“Retailers continue to suffer one of the highest rates of ransomware attacks of any industry. With more than three in four suffering an attack in 2021, it certainly brings a ransomware incident into the category of when, not if,” said Chester Wisniewski, principal research scientist at Sophos, in a statement accompanying the report.
Sophos defines "hit by ransomware" as one or more devices being impacted, but not necessarily encrypted. Ransomware criminals were able to encrypt files of target retailers in 68 per cent of the cases. Only 28 per cent of retail respondents said they were able to stop attacks before data could be encrypted.
“In Sophos’ experience, the organisations that are successfully defending against these attacks are not just using layered defences, they are augmenting security with humans trained to monitor for breaches and actively hunting down threats that bypass the perimeter before they can detonate into even bigger problems,” Wisniewski said.
A large portion of the industry needs to improve its security posture with the right tools and appropriately trained security experts to help manage their efforts, he said.
“With Initial Access Brokers (IABs) and ransomware-as-a-service (RaaS), it’s unfortunately easy for bottom-rung cybercriminals to buy network access and a ransomware kit to launch an attack without much effort. Individual retail stores and small chains are more likely to be targeted by these smaller opportunistic attackers,” Wisniewski said.
Of respondents reporting that their organisations were hit by ransomware, 92 per cent said the attack impacted their ability to operate, while 89 per cent said the attack caused their organisation to lose business/revenue. This indicates that the operational and commercial impact of ransomware on the retail sector was a little higher than the other sectors, the report noted.
Retailers lose data even after paying ransom
Only 62 per cent retailers who paid ransom to recover their data in 2021 were able to recover some of their data, making it worse than 2020, when 67 per cent of such organisations were able to recover some of their data.
Getting back all encrypted data became even less common in 2021, with only five per cent of retailers able to restore all their data, down from nine per cent in 2020.
“The key takeaway here is that paying the ransom will only restore a part of your encrypted data and you cannot count on the ransom payment to get you all your data back,” according to the report.
The retail sector used multiple methods to recover their encrypted data, including backups and paying ransom. Almost all retail organisations that were hit by ransomware and had data encrypted in the last year recovered some encrypted data back.
About 73 per cent of retail organisations used back-ups to recover data, a considerable increase from just 56 per cent organisations in 2020.
The Sophos report revealed 49 per cent of respondents paid ransom to get the data back, compared to 32 per cent in 2020. Almost a third, or 32 per cent, reported using other means to restore their data.
“The percentage using backups, paying the ransom, and using other means clearly add up to more than 100 per cent, indicating that many retail organisations use multiple restoration methods in parallel. Overall, 46 per cent of retail victims used multiple methods to restore their data,” the report noted.
Ransom amounts rise considerably
The exact amount of ransom paid was reported by 88 respondents from the retail sector. The average ransom payment was US$226,044, up from the average of US$147,811 reported in 2020 by 36 retail respondents.
More than one-fifth, or 22 per cent, of the retail organisations paid ransoms of less than US$1,000, while more than two-thirds, or 70 per cent, paid a ransom amount of less than US$100,000. These low payments help keep the sector average down compared to many other industries, according to Sophos.
Only 29 per cent of retail respondents paid over US$100,000 in ransom and about 4 per cent paid over a million dollars, according to the report.
“It’s likely that different threat groups are hitting different industries. Some of the low-skill ransomware groups ask for US$50,000 to US$200,000 in ransom payments, whereas the larger, more sophisticated attackers with increased visibility demand US$1 million or more,” Wisniewski said.
Ransomware insurance gets difficult to acquire
For 93 per cent of those with cyber insurance in retail, the process for securing coverage changed over the last year. Due to the high rate of attacks and ransom payments, retailers feel it is more difficult to acquire insurance now, with 41 per cent saying fewer insurance providers are offering cyber insurance.
About 57 per cent of the respondents said the level of in-house cyber security required to qualify for cyber insurance is now higher, with 43 per cent saying policies are now more complex, 37 per cent saying the process takes longer, and 35 per cent saying it is more expensive. Nevertheless, 88 per cent of retail respondents reported that they have coverage.
As the cyber insurance market hardens and it becomes more challenging to secure coverage, 97 per cent of retail organisations that have cyber insurance have made changes to their cyber defence to improve their cyber insurance position.
Sixty-six per cent of those surveyed have implemented new technologies / services, 55 per cent have increased staff training/education activities, and 53 per cent have changed processes / behaviours, according to the research.
Insurance firms paid out for clean-up costs in 82 per cent of attacks on retail organisations, which is higher than the average of 77 per cent for all sectors.
However, retail respondents reported a below-average rate of ransom insurance payout, with insurers paying the ransom in 35 per cent of attacks compared with 40 per cent on average across all sectors.
“This suggests that the victims are often paying the ransoms out of their own funds,” the report noted.