Retail

 In 2021:

- 44% of retail organizations were hit by ransomware

- 54% of organizations hit by ransomware said the cybercriminals succeeded in encrypting their data

- 32% of those whose data was encrypted paid the ransom to get their data back

- The average ransom payment was $147,811

- However, those who paid the ransom got back just 67% of their data on average, leaving almost a third of the data inaccessible

- The average bill for recovering from a ransomware attack in the retail sector was $1.97 million

- 56% of those whose data was encrypted used backups to restore data

- 91% of retail organizations have a malware incident recovery plan

​

​

Looking at the prevalence of ransomware across all the sectors surveyed, retail, along with education, experienced the highest level of ransomware attacks: 44% of respondents in these sectors reported being hit compared to the global average of 37%.

Globally across all sectors, the percentage of organizations hit by ransomware in the last year has dropped considerably from last year, when 51% admitted being hit. This drop can be partly explained by the evolution of attackers behaviors. 

​

​

Of the 357 respondents across all sectors who reported that their organization paid the ransom, 282 also shared the exact amount paid, including 36 in the retail sector.

Globally across all sectors, the average ransom payment was $170,404. However, in retail, the average ran - som payment was almost $23,000 lower, coming in at $147,811.

​

​

The attack was first discovered after a sample of the ransomware was downloaded from a public malware analysis site.

This sample provided access to the BlackMatter ransom note, the ransomware negotiation page and a non-public data leak page containing screenshots of allegedly stolen data.

Indeed, it is important to show through this attack that when the BlackMatter ransomware first appeared, the attackers stated that they would not target critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).

From screenshots of the trading page shared on Twitter, the New Cooperative asked BlackMatter why they were attacked as they are considered critical infrastructure and the attack would lead to a disruption in the food supply for grain, pork and chicken.

BlackMatter responded that they did not «fall under the rules» and threatened to double the ransom if the New Cooperative did not change its approach to the negotiation